Add a permissions option to logging.files for all beats (elastic#4428)

(cherry picked from commit fecbdf4)
andrewkroh · Oct 13, 2017 · dd882fc · dd882fc
1 parent 29f2667
commit dd882fc
Show file tree

Hide file tree

Showing 10 changed files with 64 additions and 4 deletions.
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -136,6 +136,7 @@ https://github.com/elastic/beats/compare/v5.5.3...v5.6.0[View commits]
 *Affecting all Beats*
 
 - Add option to the import_dashboards script to load the dashboards via Kibana API. {pull}4682[4682]
+- Add `logging.files` `permissions` option. {pull}4295[4295]
 
 *Filebeat*
 

diff --git a/filebeat/filebeat.full.yml b/filebeat/filebeat.full.yml
@@ -1017,3 +1017,6 @@ logging.files:
   # Number of rotated log files to keep. Oldest files will be deleted first.
   #keepfiles: 7
 
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
diff --git a/heartbeat/heartbeat.full.yml b/heartbeat/heartbeat.full.yml
@@ -852,3 +852,6 @@ logging.files:
   # Number of rotated log files to keep. Oldest files will be deleted first.
   #keepfiles: 7
 
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
diff --git a/libbeat/_meta/config.full.yml b/libbeat/_meta/config.full.yml
@@ -654,3 +654,6 @@ logging.files:
   # Number of rotated log files to keep. Oldest files will be deleted first.
   #keepfiles: 7
 
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc
@@ -27,6 +27,7 @@ logging.files:
   path: /var/log/mybeat
   name: mybeat.log
   keepfiles: 7
+  permissions: 0600
 ------------------------------------------------------------------------------
 
 TIP: In addition to setting logging options in the config file, you can modify
@@ -124,6 +125,21 @@ The number of most recent rotated log files to keep on disk. Older files are
 deleted during log rotation. The default value is 7. The `keepfiles` options has to be
 in the range of 2 to 1024 files.
 
+===== files.permissions
+
+The permissions mask to apply when rotating log files. The default value is 0600. The
+`permissions` value must be a valid Unix-style file permissions mask expressed
+in octal notation. In YAML, numbers in octal notation must start with '0'.
+
+Examples:
+
+* 0600: give read and write access to the file owner, and no access to all
+others (default).
+* 0644: give read and write access to the file owner, and read access to all
+others.
+* 0664: give read and write access to the file owner and members of the group 
+associated with the file, as well as read access to all other users.
+
 ==== Logging Format
 
 The logging format is different for each logging type:

diff --git a/libbeat/logp/file_rotator.go b/libbeat/logp/file_rotator.go
@@ -17,6 +17,7 @@ type FileRotator struct {
 	Name             string
 	RotateEveryBytes *uint64
 	KeepFiles        *int
+	Permissions      *uint32
 
 	current     *os.File
 	currentSize uint64
@@ -42,7 +43,7 @@ func (rotator *FileRotator) CreateDirectory() error {
 
 func (rotator *FileRotator) CheckIfConfigSane() error {
 	if len(rotator.Name) == 0 {
-		return fmt.Errorf("File logging requires a name for the file names")
+		return fmt.Errorf("file logging requires a name for the file names")
 	}
 	if rotator.KeepFiles == nil {
 		rotator.KeepFiles = new(int)
@@ -54,7 +55,11 @@ func (rotator *FileRotator) CheckIfConfigSane() error {
 	}
 
 	if *rotator.KeepFiles < 2 || *rotator.KeepFiles >= RotatorMaxFiles {
-		return fmt.Errorf("The number of files to keep should be between 2 and %d", RotatorMaxFiles-1)
+		return fmt.Errorf("the number of files to keep should be between 2 and %d", RotatorMaxFiles-1)
+	}
+
+	if rotator.Permissions != nil && (*rotator.Permissions > uint32(os.ModePerm)) {
+		return fmt.Errorf("the permissions mask %d is invalid", *rotator.Permissions)
 	}
 	return nil
 }
@@ -134,7 +139,7 @@ func (rotator *FileRotator) Rotate() error {
 
 		if rotator.FileExists(fileNo + 1) {
 			// next file exists, something is strange
-			return fmt.Errorf("File %s exists, when rotating would overwrite it", rotator.FilePath(fileNo+1))
+			return fmt.Errorf("file %s exists, when rotating would overwrite it", rotator.FilePath(fileNo+1))
 		}
 
 		err := os.Rename(path, rotator.FilePath(fileNo+1))
@@ -145,7 +150,7 @@ func (rotator *FileRotator) Rotate() error {
 
 	// create the new file
 	path := rotator.FilePath(0)
-	current, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	current, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, os.FileMode(rotator.getPermissions()))
 	if err != nil {
 		return err
 	}
@@ -158,3 +163,10 @@ func (rotator *FileRotator) Rotate() error {
 
 	return nil
 }
+
+func (rotator *FileRotator) getPermissions() uint32 {
+	if rotator.Permissions == nil {
+		return 0600
+	}
+	return *rotator.Permissions
+}
diff --git a/libbeat/logp/file_rotator_test.go b/libbeat/logp/file_rotator_test.go
@@ -160,4 +160,17 @@ func TestConfigSane(t *testing.T) {
 	}
 	assert.NotNil(t, rotator.CheckIfConfigSane())
 
+	perms := uint32(0544)
+	rotator = FileRotator{
+		Name:        "test2",
+		Permissions: &perms,
+	}
+	assert.Nil(t, rotator.CheckIfConfigSane())
+
+	perms = uint32(077777)
+	rotator = FileRotator{
+		Name:        "test2",
+		Permissions: &perms,
+	}
+	assert.NotNil(t, rotator.CheckIfConfigSane())
 }
diff --git a/metricbeat/metricbeat.full.yml b/metricbeat/metricbeat.full.yml
@@ -965,3 +965,6 @@ logging.files:
   # Number of rotated log files to keep. Oldest files will be deleted first.
   #keepfiles: 7
 
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
diff --git a/packetbeat/packetbeat.full.yml b/packetbeat/packetbeat.full.yml
@@ -1108,3 +1108,6 @@ logging.files:
   # Number of rotated log files to keep. Oldest files will be deleted first.
   #keepfiles: 7
 
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
diff --git a/winlogbeat/winlogbeat.full.yml b/winlogbeat/winlogbeat.full.yml
@@ -683,3 +683,6 @@ logging.files:
   # Number of rotated log files to keep. Oldest files will be deleted first.
   #keepfiles: 7
 
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600