diff options
author | Félix Baylac Jacqué <felix@alternativebit.fr> | 2023-10-25 11:34:39 +0200 |
---|---|---|
committer | Félix Baylac Jacqué <felix@alternativebit.fr> | 2023-10-26 18:25:13 +0200 |
commit | f83fa021937978e79c917c08b3499ba866120284 (patch) | |
tree | 8b87676d871e30a3bfa6a1082d0cbcdda15e2de1 /doc | |
parent | 4b3dee2ca3be35d2df73626ad36a8cddedc41e6f (diff) | |
download | garage-f83fa021937978e79c917c08b3499ba866120284.tar.gz garage-f83fa021937978e79c917c08b3499ba866120284.zip |
Add allow_world_readable_secrets option to config file
Sometimes, the secret files permissions checks gets in the way. It's
by no mean complete, it doesn't take the Posix ACLs into account among
other things. Correctly checking the ACLs would be too involving (see
https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/658#issuecomment-7102)
and would likely still fail in some weird chmod settings.
We're adding a new configuration file key allowing the user to disable
this permission check altogether.
The (already existing) env variable counterpart always take precedence
to this config file option. That's useful in cases where the
configuration file is static and cannot be easily altered.
Fixes https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/658
Co-authored-by: Florian Klink <flokli@flokli.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/book/reference-manual/configuration.md | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/book/reference-manual/configuration.md b/doc/book/reference-manual/configuration.md index 2a8c5df5..a536dd02 100644 --- a/doc/book/reference-manual/configuration.md +++ b/doc/book/reference-manual/configuration.md @@ -323,6 +323,18 @@ be obtained by running `garage node id` and then included directly in the key will be returned by `garage node id` and you will have to add the IP yourself. +### `allow_world_readable_secrets` + +Garage checks the permissions of your secret files to make sure +they're not world-readable. In some cases, the check might fail and +consider your files as world-readable even if they're not. Such as +when using Posix ACLs. + +Setting `allow_world_readable_secrets` to `true` bypass this +permission verification. + +Alternatively, you can set the `GARAGE_ALLOW_WORLD_READABLE_SECRETS` +environment variable to `true` to bypass the permissions check. ## The `[consul_discovery]` section |