From 9bac169862d9e1fc27daeb68bb99ef221624f8eb Mon Sep 17 00:00:00 2001
From: Julien Mailleret <julien.mailleret@elastic.co>
Date: Wed, 18 Sep 2019 10:57:07 +0200
Subject: [PATCH] use files permissions from official package

---
 tasks/elasticsearch-config.yml                | 28 ++++++++++++-------
 tasks/elasticsearch-template.yml              |  5 ++--
 tasks/xpack/elasticsearch-xpack.yml           |  3 +-
 .../security/elasticsearch-security-file.yml  |  6 ++--
 .../xpack/security/elasticsearch-security.yml |  2 +-
 .../helpers/serverspec/oss_spec.rb            |  4 +--
 .../helpers/serverspec/shared_spec.rb         |  5 ++--
 .../helpers/serverspec/xpack_upgrade_spec.rb  |  6 ++--
 8 files changed, 34 insertions(+), 25 deletions(-)

diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml
index e3437f2..c8bc1cf 100644
--- a/tasks/elasticsearch-config.yml
+++ b/tasks/elasticsearch-config.yml
@@ -1,27 +1,35 @@
 ---
 # Configure Elasticsearch Node
 
-#Create required directories
-- name: Create Directories
+#Create conf directory
+- name: Create Configuration Directory
   become: yes
-  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
+  file: path={{ es_conf_dir }} state=directory owner=root group={{ es_group }} mode=2750
+
+#Create pid directory
+- name: Create PID Directory
+  become: yes
+  file: path={{ es_pid_dir }} state=directory owner={{ es_user }} group={{ es_group }} mode=0755
+
+#Create required directories
+- name: Create Others Directories
+  become: yes
+  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} mode=2750
   with_items:
-    - "{{ es_pid_dir }}"
     - "{{ es_log_dir }}"
-    - "{{ es_conf_dir }}"
     - "{{ es_data_dirs }}"
 
 #Copy the config template
 - name: Copy Configuration File
   become: yes
-  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner=root group={{ es_group }} mode=0660 force=yes
   register: system_change
   notify: restart elasticsearch
 
 #Copy the default file
 - name: Copy Default File
   become: yes
-  template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes
+  template: src=elasticsearch.j2 dest={{ default_file }} owner=root group={{ es_group }} mode=0660 force=yes
   notify: restart elasticsearch
 
 #Copy the systemd specific file if systemd is installed
@@ -30,7 +38,7 @@
   block:
     - name: Make sure destination dir exists
       file: path={{ sysd_config_file | dirname }} state=directory mode=0755
-  
+
     - name: Copy specific ElasticSearch Systemd config file
       ini_file: path={{ sysd_config_file }} section=Service option=LimitMEMLOCK value=infinity mode=0644
       notify:
@@ -40,10 +48,10 @@
 #Copy the logging.yml
 - name: Copy log4j2.properties File
   become: yes
-  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner=root group={{ es_group }} mode=0660 force=yes
   notify: restart elasticsearch
 
 - name: Copy jvm.options File
   become: yes
-  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner=root group={{ es_group }} mode=0660 force=yes
   notify: restart elasticsearch
diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml
index beb512e..41f5f41 100644
--- a/tasks/elasticsearch-template.yml
+++ b/tasks/elasticsearch-template.yml
@@ -4,11 +4,12 @@
   file:
     path: "{{ es_conf_dir }}/templates"
     state: directory
-    owner: "{{ es_user }}"
+    owner: root
     group: "{{ es_group }}"
+    mode: 2750
 
 - name: Copy templates to elasticsearch
-  copy: src={{ item }} dest={{ es_conf_dir }}/templates owner={{ es_user }} group={{ es_group }}
+  copy: src={{ item }} dest={{ es_conf_dir }}/templates owner=root group={{ es_group }} mode=0660
   register: load_templates
   with_fileglob:
     - "{{ es_templates_fileglob | default('') }}"
diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml
index a8f04f7..263af93 100644
--- a/tasks/xpack/elasticsearch-xpack.yml
+++ b/tasks/xpack/elasticsearch-xpack.yml
@@ -8,5 +8,4 @@
 #Make sure elasticsearch.keystore has correct Permissions
 - name: Set elasticsearch.keystore Permissions
   become: yes
-  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }}
-  when: es_enable_xpack
+  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660
diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml
index c4e02ec..1d5d222 100644
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@@ -18,7 +18,7 @@
     src: "{{ es_conf_dir }}/x-pack/users"
     dest: "{{ es_conf_dir }}/users"
     group: "{{ es_group }}"
-    owner: "{{ es_user }}"
+    owner: root
   when: old_users_file.stat.exists
 # End of users migrations
 
@@ -95,11 +95,11 @@
 #Copy Roles files
 - name: Copy roles.yml File for Instance
   become: yes
-  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes
   when: es_roles is defined and es_roles.file is defined
 
 #Overwrite users_roles file
 - name: Copy User Roles
   become: yes
-  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes
   when: manage_file_users and users_roles | length > 0
diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml
index 2678611..f735358 100644
--- a/tasks/xpack/security/elasticsearch-security.yml
+++ b/tasks/xpack/security/elasticsearch-security.yml
@@ -46,5 +46,5 @@
 #Copy Roles files
 - name: Copy role_mapping.yml File for Instance
   become: yes
-  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes
   when: es_role_mapping is defined
diff --git a/test/integration/helpers/serverspec/oss_spec.rb b/test/integration/helpers/serverspec/oss_spec.rb
index abe9df3..0f4ff00 100644
--- a/test/integration/helpers/serverspec/oss_spec.rb
+++ b/test/integration/helpers/serverspec/oss_spec.rb
@@ -3,11 +3,11 @@ require 'spec_helper'
 shared_examples 'oss::init' do |vars|
   describe file("/etc/elasticsearch/log4j2.properties") do
     it { should be_file }
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
     it { should_not contain 'CUSTOM LOG4J FILE' }
   end
   describe file("/etc/elasticsearch/jvm.options") do
     it { should be_file }
-    it { should be_owned_by vars['es_user'] }
+    it { should be_owned_by 'root' }
   end
 end
diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb
index 1bbbc11..93d3025 100644
--- a/test/integration/helpers/serverspec/shared_spec.rb
+++ b/test/integration/helpers/serverspec/shared_spec.rb
@@ -108,11 +108,11 @@ shared_examples 'shared::init' do |vars|
   if vars['es_templates']
     describe file('/etc/elasticsearch/templates') do
       it { should be_directory }
-      it { should be_owned_by vars['es_user'] }
+      it { should be_owned_by 'root' }
     end
     describe file('/etc/elasticsearch/templates/basic.json') do
       it { should be_file }
-      it { should be_owned_by vars['es_user'] }
+      it { should be_owned_by 'root' }
     end
     #This is possibly subject to format changes in the response across versions so may fail in the future
     describe 'Template Contents Correct' do
@@ -152,6 +152,7 @@ shared_examples 'shared::init' do |vars|
     end
   end
   describe file("/etc/elasticsearch/elasticsearch.yml") do
+    it { should be_owned_by 'root' }
     it { should contain "node.name: localhost" }
     it { should contain 'cluster.name: elasticsearch' }
     it { should_not contain "path.conf: /etc/elasticsearch" }
diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
index aadf9e9..62c9528 100644
--- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
+++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
@@ -5,13 +5,13 @@ vars = JSON.parse(File.read('/tmp/vars.json'))
 shared_examples 'xpack_upgrade::init' do |vars|
   #Test users file, users_roles and roles.yml
   describe file("/etc/elasticsearch/users_roles") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
     it { should contain 'admin:es_admin' }
     it { should contain 'power_user:testUser' }
   end
 
   describe file("/etc/elasticsearch/users") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
     it { should contain 'testUser:' }
     it { should contain 'es_admin:' }
   end
@@ -37,7 +37,7 @@ shared_examples 'xpack_upgrade::init' do |vars|
 
   #Test contents of role_mapping.yml
   describe file("/etc/elasticsearch/role_mapping.yml") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
     it { should contain 'power_user:' }
     it { should contain '- cn=admins,dc=example,dc=com' }
     it { should contain 'user:' }