From 9ee29aabe12905d1fb03b0cf16bb75f85e2795f3 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Thu, 12 Mar 2020 16:04:23 -0400
Subject: [PATCH] Set certificate ownership properly

When creating certificate for collective, ensure that the certificate
is usable by confluent when running
as non-root.
---
 confluent_server/bin/collective | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/confluent_server/bin/collective b/confluent_server/bin/collective
index e993e168..58e5d03a 100644
--- a/confluent_server/bin/collective
+++ b/confluent_server/bin/collective
@@ -40,6 +40,12 @@ def make_certificate():
                               '/etc/confluent/srvcert.pem -subj /CN='
                               '{0}'.format(socket.gethostname()).split(' ')):
         raise Exception('Error generating certificate')
+    try:
+        uid = pwd.getpwnam('confluent').pw_uid
+        os.chown('/etc/confluent/privkey.pem', uid, -1)
+        os.chown('/etc/confluent/srvcert.pem', uid, -1)
+    except KeyError:
+        pass
     print('Certificate generated successfully')
     os.umask(umask)