ownership and permission of keytab file
Hello,
Regarding the /etc/eos.keytab file, it seems that MGM (and possibly FST or other components too?) running as the daemon user fail to start if the file ownership is different from
-r--------. 1 daemon daemon 143 Mar 29 00:34 eos.keytab
Would you consider allowing this?
-r--r-----. 1 root daemon 143 Mar 29 00:34 eos.keytab
This is equivalent in terms of security, because root can implicitly read all files regardless of ownership. EOS should not care whether it can read the keytab file via user ownership or group ownership, it should only matter that it can open the file read-only. This will help in environments where credentials are provided for the EOS user but owned and managed by the root user (for example in kubernetes where the keytab is injected as a secret into the pod by the kubelet).
Thanks!