Merge pull request ceph#57546 from clwluvw/vault-token

cbodley · web-flow · commit b32fadf9a5cf · 2024-07-26T14:12:57.000+01:00
rgw: eliminate vault token perm for group read

Reviewed-by: Jiffin Tony Thottan &lt;thottanjiffin@gmail.com&gt;
diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc
@@ -221,9 +221,9 @@ class VaultSecretEngine: public SecretEngine {
       return -ENOENT;
     }
 
-    if (token_st.st_mode & (S_IRWXG | S_IRWXO)) {
+    if (token_st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
       ldpp_dout(dpp, 0) << "ERROR: Vault token file '" << token_file << "' permissions are "
-                    << "too open, it must not be accessible by other users" << dendl;
+                    << "too open, the maximum allowed is 0740" << dendl;
       return -EACCES;
     }
 
@@ -257,7 +257,7 @@ class VaultSecretEngine: public SecretEngine {
     int res;
     string vault_token = "";
     if (RGW_SSE_KMS_VAULT_AUTH_TOKEN == kctx.auth()){
-      ldpp_dout(dpp, 0) << "Loading Vault Token from filesystem" << dendl;
+      ldpp_dout(dpp, 20) << "Loading Vault Token from filesystem" << dendl;
       res = load_token_from_file(dpp, &vault_token);
       if (res < 0){
         return res;
