maintenance_socket: add option to set owning group

Option `maintenance-socket-group` sets the owning group of the maintenance socket.
If not set, the group will be the same as the user running the scylla node.

db/config.cc

@@ -764,6 +764,8 @@ db::config::config(std::shared_ptr<db::extensions> exts)
         "\tworkdir        the node will open the maintenance socket on the path <scylla's workdir>/cql.m,\n"
         "\t               where <scylla's workdir> is a path defined by the workdir configuration option\n"
         "\t<socket path>  the node will open the maintenance socket on the path <socket path>")
+    , maintenance_socket_group(this, "maintenance_socket_group", value_status::Used, "",
+        "The group that the maintenance socket will be owned by. If not set, the group will be the same as the user running the scylla node.")
     , maintenance_mode(this, "maintenance_mode", value_status::Used, false, "If set to true, the node will not connect to other nodes. It will only serve requests to its local data.")
     , native_transport_port_ssl(this, "native_transport_port_ssl", value_status::Used, 9142,
         "Port on which the CQL TLS native transport listens for clients."

db/config.hh

@@ -276,6 +276,7 @@ public:
     named_value<bool> start_native_transport;
     named_value<uint16_t> native_transport_port;
     named_value<sstring> maintenance_socket;
+    named_value<sstring> maintenance_socket_group;
     named_value<bool> maintenance_mode;
     named_value<uint16_t> native_transport_port_ssl;
     named_value<uint16_t> native_shard_aware_transport_port;

docs/operating-scylla/admin-tools/maintenance-socket.rst

@@ -11,11 +11,15 @@ To set up the maintenance socket, use the `maintenance-socket` option when start
 * If set to `workdir` maintenance socket will be created in `<node's workdir>/cql.m`.
 * Otherwise maintenance socket will be created in the specified path.
 
+
 The maintenance socket path has to satisfy following restrictions:
 
 * the path has to be shorter than `108` chars (due to linux limits),
 * a file or a directory cannot exists in this path.
 
+Option `maintenance-socket-group` sets the owning group of the maintenance socket. If not set, the group will be the same as the user running the scylla node.
+The user running the scylla node has to be in the group specified by `maintenance-socket-group` option or have root privileges.
+
 Connect to maintenance socket
 -----------------------------
 

transport/controller.cc

@@ -6,6 +6,7 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 
+#include <grp.h>
 #include "transport/controller.hh"
 #include <seastar/core/sharded.hh>
 #include <seastar/net/socket_defs.hh>
@@ -181,7 +182,25 @@ future<> controller::start_listening_on_maintenance_socket(sharded<cql_server>&
         file_permissions::user_read | file_permissions::user_write |
         file_permissions::group_read | file_permissions::group_write;
 
-    return listen_on_all_shards(cserver, addr, nullptr, false, _config.rpc_keepalive(), unix_domain_socket_permissions);
+    co_await listen_on_all_shards(cserver, addr, nullptr, false, _config.rpc_keepalive(), unix_domain_socket_permissions);
+
+    if (_config.maintenance_socket_group.is_set()) {
+        auto group_name = _config.maintenance_socket_group();
+        struct group *grp;
+        grp = ::getgrnam(group_name.c_str());
+        if (!grp) {
+            throw std::runtime_error(format("Group id of {} not found. Make sure the group exists.", group_name));
+        }
+
+        auto chown_result = ::chown(socket.c_str(), ::geteuid(), grp->gr_gid);
+        if (chown_result < 0) {
+            if (errno == EPERM) {
+                throw std::runtime_error(format("Failed to change group of {}: Permission denied. Make sure the user has the root privilege or is a member of the group {}.", socket, group_name));
+            } else {
+                throw std::runtime_error(format("Failed to chown {}: {} ()", socket, strerror(errno)));
+            }
+        }
+    }
 }
 
 future<> controller::do_start_server() {