Skip to content

Make owner/group consistent in the elasticsearch role #490

Description

@afeefghannam89

The elasticsearch role mostly follows the package's ownership model — config and certificates are root-owned and readable through the elasticsearch group, data/logs belong to the service user — but two things are inconsistent.

1. elasticsearch_group is pointless and unsafe.
It is used only in the three jvm.options.d tasks (owner root, mode 0660) and defaults to elasticsearch. The package fixes the service to User=elasticsearch / Group=elasticsearch, so any other value makes those files unreadable for the service. Replace {{ elasticsearch_group }} with the literal elasticsearch and drop the variable. (The paired elasticsearch_user was already removed as dead.)

2. elasticsearch.yml breaks the pattern.
It is written root:root mode 0644 (world-readable), while every other config file is root:elasticsearch group-readable. Align it to root:elasticsearch mode 0640.

Note: the fix is not to chown config/certs to the service user — they must stay root-owned and group-readable so the service cannot rewrite its own config. Dropping elasticsearch_group is a minor breaking change.

Relates to #84.

Metadata

Metadata

Assignees

No one assigned

    Labels

    breaking-changePR / Issue / Fix that will implement a breaking change!qualityChanges that will not affect the technical details, but add some more quality to the code, docs, ...

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions