group permissions are not good with s3fs

[gyulaweber]

Hi,

I've tried to use it for storing s3fs secrets, but (by default) it doesn't allow password files which have group permissions.

I've created a quick workaround:
https://github.com/gyulaweber/keywhiz-fs/commit/d0da8a339c3a405ee039aa42471db4f51aa56705

I think it would be better if we can use a parameter like 'no-group-permissions', or like that. I'm still not sure what would be the best solution for this.

[csstaub]

It's possible to override the permissions on the server-side when adding a secret by setting the "mode" field in the metadata.

For example, if you set the metadata to

{"mode":"0400"}

the secret will have permissions 0400 in keywhiz-fs.

You can also override the owner/group with (for example):

{"owner":"cs","group":"cs","mode":"0400"}

That would make the secret be owned by cs:cs and have mode 0400.

If you're using the web UI to add a secret there should be a metadata field to add this.

If you're using the CLI, you can do it like this:

java -jar $KEYWHIZ_CLI_JAR -U https://localhost:4444/ add secret --name secret-name --json '{"mode":"0400"}'

That said, I think it would make sense to have a flag in keywhiz-fs to override the default permissions for secrets that don't have metadata attached to them.

[csstaub]

We could allow an override in keywhiz-fs by adding a flag, maybe like this:

keywhiz-fs [OPTIONS] --default-permissions 0400

would that be useful to you?

[gyulaweber]

@csstaub: Big Thanks for the explanation; yes, a default permission flag would be useful. I think I'll try to implement it, just for practicing golang.

[csstaub]

@gyulaweber sounds good!