Installer should not reset config file permissions

[stefan-as]

On installation or upgrade the installer reset user, group and permissions on all config files:

https://github.com/sensu/sensu-omnibus/blob/dff7808eb9d232c9202599a637a1a7294eae4576/config/templates/package-scripts/postinst.erb#L158

There are valid reasons for explicit permission management of config files and the installer should not touch them. For example, we use serveral Ansible deployments to manage dedicated Sensu configs per Project. After upgrade all deployment processes were broken and we had to fix the setup manually.

I suggest it is much better to fail with an appropriate error message on service startup in case of permission issues instead of managing permissions within the setup process that may be involved in third party processes.

[cwjohnston]

@stefan-as thanks for raising this as an issue. Can you help us better understand the permissions we are applying broke your Ansible automation? We're open to adjusting the packaging behavior but we need any change to take our support for platforms like AIX, Solaris, etc. into account.

[stefan-as]

@cwjohnston in our use case we result in permissions like:

-rw-r--r-- 1 project_a deployment  309 Dec  6 13:13 checks_project_a.json
-rw-r--r-- 1 project_b deployment  309 Dec  6 13:13 checks_project_b.json

making sure checks can be managed by individual Ansibles, but not overwrited by other Ansibles. After an upgrade of sensu, the Ansibles were not allowed to manage their config files any longer. But this is only one use case, many others are possible, since that is why we have permission management on OS level. Forcing config file permissions to $SENSU_USER:$SENSU_GROUP makes it impossible to use basic OS concepts for access management.

[stefan-as]

Can we have an update on this issue? Sensu installer still does not respect regular Linux user/group settings on config files, overwrites valid file attributes and crashes the setups on every update.

The Sensu installer should not touch or make any assumptions about config file user or group management. While it is totally meaningful to deliver sensible defaults, it is up to the end user to adept the setups and manage individual permissions. Furthermore, I don't know any other package that overrules end user permission management.

[amdprophet]

@stefan-as We're planning on taking a look at fixing this soon.

[annaplotkin]

After looking into this issue and deliberating, there are unfortunately a fair amount of complications with fixing this with code. We believe this may be ameliorated with a different config management setup and that will be coming down the pike with 2.x. For now we will close this issue but would love to connect with you on the Community Slack and work with you to see if we can assist in the meantime.