DAOS-12100 control: Update admin cert key required perms

[kjacque]

The admin certificate key may be owned by an admin group, rather than an individual user.

In practice most private keys should be owner-read-only (0400), but the admin cert may also be readable by the admin group (0440).

Required-githooks: true
Features: control

Signed-off-by: Kris Jacque [email protected]

Before requesting gatekeeper:

• Two review approvals and any prior change requests have been resolved.
• Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
• Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
• Commit messages follows the guidelines outlined here.
• Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

• You are the appropriate gatekeeper to be landing the patch.
• The PR has 2 reviews by people familiar with the code, including appropriate watchers.
• Githooks were used. If not, request that user install them and check copyright dates.
• Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
• All builds have passed. Check non-required builds for any new compiler warnings.
• Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
• If applicable, the PR has addressed any potential version compatibility issues.
• Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
• Extra checks if forced landing is requested
  • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
  • No new NLT or valgrind warnings. Check the classic view.
  • Quick-build or Quick-functional is not used.
• Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

[daosbuild1]

LGTM. No errors found by checkpatch.

[github-actions]

Bug-tracker data:
Ticket title is 'admin.key should allow chmod 0440'
Status is 'In Review'
Labels: 'required_24tb2,triaged'
Job should run at elevated priority (3)
https://daosio.atlassian.net/browse/DAOS-12100

[daosbuild1]

LGTM. No errors found by checkpatch.

[daosbuild1]

Test stage Functional Hardware Medium completed with status UNSTABLE. https://build.hpdd.intel.com/job/daos-stack/job/daos//view/change-requests/job/PR-11271/3/testReport/(root)/

[daosbuild1]

Test stage Functional Hardware Medium UCX Provider completed with status FAILURE. https://build.hpdd.intel.com//job/daos-stack/job/daos/view/change-requests/job/PR-11271/3/execution/node/1173/log

[knard38]

Probably a stupid question (not really familiar with this portion of the code).
Is the key file stored in the directory with MaxDirPerm ?
If yes, even with MaxGroupKeyPerm set, the user from the authorized group will not be able to access the key cert ?

[Michael-Hennecke]

I agree, I think MaxDirPerm should be 0750 or "group" cannot get to the admin.key

[kjacque]

Good catch. Fixing

[Michael-Hennecke]

see MaxDirPerm comment...

[daosbuild1]

LGTM. No errors found by checkpatch.

[knard38]

LGTM

[daosbuild1]

Test stage Functional Hardware Medium completed with status FAILURE. https://build.hpdd.intel.com//job/daos-stack/job/daos/view/change-requests/job/PR-11271/4/execution/node/1220/log

[mjmac]

Test failures appear to be due to engine segfaults in racer/rebuild tests, seems unlikely that they are related to this patch.