fixing permission of generated config

[dennybaa]

There's no need in such strict options for a configuration file. However if there is it should be configurable for an enduser.

[legal90]

Hi @dennybaa,
Do you have any arguments why "there is no such need"?
Configuration file might contain secrets like encryption key, master token or AWS credentials.
The last two are not recommended to keep in the configuration file but anyway it should not be readable for other users, IMO.

cc: @johnbellone

[dennybaa]

@legal90 Hi, yes, please correct me if I'm wrong.

We are referring to a service or a check config not the main config, since the PR has nothing to do with that, right?
Consul doesn't require any parameters which should be sensitive: services and checks definitions.
So in 80% of cases users won't put anything sensitive into these files, for other 20% the mode might be configurable.

As for me now I couldn't reuse this cookbook for services configs generation, because the mode is strict and hardcoded :( In my case consul user/group is not known or viable during configs generation.

PS. I'm using the cookbook solely for services/checks configs generation.

[legal90]

@dennybaa Ah, now got it, thank you for the clarification!
I'm sorry, I've misunderstood it at first and thought that it was about the consul service configuration (/etc/consul/consul.json), not check's config.

Then it looks good to me. But please, fix the TravisCI tests - this line should be changed to "0644" too: https://github.com/johnbellone/consul-cookbook/blob/49b4b3f/test/integration/default/default_spec.rb#L76

[dennybaa]

@legal90 well, np. I also suggest to update watch permissions :), though I'm not using em. 0640 also seems too much for a watch file.

[legal90]

Thanks 👍

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.