Skip to content

Commit

Permalink
Ansible Node - Enforce private key permission and bind permissions to…
Browse files Browse the repository at this point in the history
… scylla user

When the source playbook is executed with `become: True` its relevant TLS certificates will be owned by root. This causes a problem, because later on when trying to copy we are unable to read the resulting private key file, as it is (correctly) created by default with mode 0600.

This commit let Ansible generate each PKI component with mode 0644. Then, ensure these are copied to the remote machine's with strict permissions to scylla user/group. Finally, ensure that the private key is only readable by its target user - both locally and remotely.

Fixes scylladb#139
  • Loading branch information
fee-mendes committed Jul 4, 2022
1 parent 5d855a1 commit 275f22d
Showing 1 changed file with 21 additions and 2 deletions.
23 changes: 21 additions & 2 deletions ansible-scylla-node/tasks/ssl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,15 @@
- name: Generate an OpenSSL private key.
openssl_privatekey:
path: "./ssl/{{ inventory_hostname }}/{{ inventory_hostname }}.pem"
mode: 0644
delegate_to: localhost

- name: Generate an OpenSSL Certificate Signing Request
openssl_csr:
path: "./ssl/{{ inventory_hostname }}/{{ inventory_hostname }}.csr"
privatekey_path: "./ssl/{{ inventory_hostname }}/{{ inventory_hostname }}.pem"
common_name: "{{ inventory_hostname }}.{{ scylla_cluster_name }}.internal"
mode: 0644
delegate_to: localhost

- name: Generate an OpenSSL certificate signed with our CA certificate
Expand All @@ -54,21 +56,38 @@
ownca_path: "./ssl/ca/{{scylla_cluster_name }}-ca.crt"
ownca_privatekey_path: "./ssl/ca/{{ scylla_cluster_name }}-ca.pem"
provider: ownca
mode: 0644
delegate_to: localhost

- name: Copy the certificates into their proper locations
copy:
src: "{{ item }}"
dest: "{{ scylla_ssl.cert_path }}/{{ item | basename }}"
owner: root
group: root
owner: scylla
group: scylla
mode: '0644'
become: true
loop:
- "./ssl/ca/{{ scylla_cluster_name }}-ca.crt"
- "./ssl/{{ inventory_hostname }}/{{ inventory_hostname }}.crt"

- name: Securely copy private key into its proper location
copy:
src: "{{ item }}"
dest: "{{ scylla_ssl.cert_path }}/{{ item | basename }}"
owner: scylla
group: scylla
mode: '0600'
become: true
loop:
- "./ssl/{{ inventory_hostname }}/{{ inventory_hostname }}.pem"

- name: Secure local OpenSSL private key
file:
path: "./ssl/{{ inventory_hostname }}/{{ inventory_hostname }}.pem"
mode: 0600
delegate_to: localhost

- name: Generate cqlshrc
template:
src: templates/cqlshrc.j2
Expand Down

0 comments on commit 275f22d

Please sign in to comment.