aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorFélix Baylac Jacqué <felix@alternativebit.fr>2023-10-25 11:34:39 +0200
committerFélix Baylac Jacqué <felix@alternativebit.fr>2023-10-26 18:25:13 +0200
commitf83fa021937978e79c917c08b3499ba866120284 (patch)
tree8b87676d871e30a3bfa6a1082d0cbcdda15e2de1 /doc
parent4b3dee2ca3be35d2df73626ad36a8cddedc41e6f (diff)
downloadgarage-f83fa021937978e79c917c08b3499ba866120284.tar.gz
garage-f83fa021937978e79c917c08b3499ba866120284.zip
Add allow_world_readable_secrets option to config file
Sometimes, the secret files permissions checks gets in the way. It's by no mean complete, it doesn't take the Posix ACLs into account among other things. Correctly checking the ACLs would be too involving (see https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/658#issuecomment-7102) and would likely still fail in some weird chmod settings. We're adding a new configuration file key allowing the user to disable this permission check altogether. The (already existing) env variable counterpart always take precedence to this config file option. That's useful in cases where the configuration file is static and cannot be easily altered. Fixes https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/658 Co-authored-by: Florian Klink <flokli@flokli.de>
Diffstat (limited to 'doc')
-rw-r--r--doc/book/reference-manual/configuration.md12
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/book/reference-manual/configuration.md b/doc/book/reference-manual/configuration.md
index 2a8c5df5..a536dd02 100644
--- a/doc/book/reference-manual/configuration.md
+++ b/doc/book/reference-manual/configuration.md
@@ -323,6 +323,18 @@ be obtained by running `garage node id` and then included directly in the
key will be returned by `garage node id` and you will have to add the IP
yourself.
+### `allow_world_readable_secrets`
+
+Garage checks the permissions of your secret files to make sure
+they're not world-readable. In some cases, the check might fail and
+consider your files as world-readable even if they're not. Such as
+when using Posix ACLs.
+
+Setting `allow_world_readable_secrets` to `true` bypass this
+permission verification.
+
+Alternatively, you can set the `GARAGE_ALLOW_WORLD_READABLE_SECRETS`
+environment variable to `true` to bypass the permissions check.
## The `[consul_discovery]` section