New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't load keys when generating keys #9863
Conversation
@kbrock the change seems to make sense, can you reword these statements in the description... I don't know what you mean:
What error?
So, it's creating a key...
Does not exist or does exist? What error?
Is this because of the 'actual error' ? Does this problem have a workaround that users have successfully used in the past? I'm wondering how this worked before... Maybe this:
??? |
updated. thanks @jrafanie |
an error |
Don't display a warning that the `v2_key` does not exist if we are in the process of generating the key. https://bugzilla.redhat.com/show_bug.cgi?id=1356697 details: To generate a new appliance encryption key (aka `v2_key`), a user removes and adds a key: ``` mv certs/v2_key certs/v2_key.old bundle exec ruby tools/fix_auth.rb --key ``` This displays a warning, and looks like it fails but the key is generated: ``` On an appliance, it should be generated on boot by evmserverd. If you're a developer, you can copy the certs/v2_key.dev to certs/v2_key. Caution, using the developer key will allow anyone with the public developer key to decrypt the two-way passwords in your database. ``` Now if the user had not deleted the old `certs/v2_key` then it would throw and error and not generate a new `v2_key`. But if you note, it is very hard for the user to know if this is a problem or not: ``` Only generate one encryption_key (v2_key) per installation. Chances are you did not want to overwrite this file. If you do this all encrypted secrets in the database will not be readable. Please backup your key and run again. tools/fix_auth/fix_auth.rb:50:in `rescue in generate_password': File exists - File exists @ rb_sysopen - certs/v2_key (Errno::EEXIST) from tools/fix_auth/fix_auth.rb:42:in `generate_password' from tools/fix_auth/fix_auth.rb:90:in `run' from tools/fix_auth/cli.rb:37:in `run' from tools/fix_auth/cli.rb:41:in `run' from ./tools/fix_auth.rb:24:in `<main>' ``` Solution is to not show the warning if in the process of generating the key
Checked commit kbrock@dd103d7 with ruby 2.2.5, rubocop 0.37.2, and haml-lint 0.16.1 |
LGTM, thanks @kbrock |
Merging. I'm not sure how you can test this but there should be a way. Maybe we can do that in a followup PR. |
Don't load keys when generating keys (cherry picked from commit 0bf1bc7)
Darga backport details: commit 54807fe69c11d517cd816d2b85871d20cf578d85
Author: Joe Rafaniello <jrafanie@users.noreply.github.com>
Date: Fri Jul 15 18:37:49 2016 -0400
Merge pull request #9863 from kbrock/fix_auth_warning
Don't load keys when generating keys
(cherry picked from commit 0bf1bc7bcc2535e6430c485ff2e7b84475872461) |
Purpose or Intent
To generate a new appliance encryption key (aka
v2_key
) users use:This displays an ugly warning but actually works
Now if the user had not deleted the old
certs/v2_key
then it would throw and error and not generate a newv2_key
. But if you note, it is very hard for the user to know if this is a problem or notSolution
Don't display a warning that the
v2_key
does not exist if we are in the process of generating the key.https://bugzilla.redhat.com/show_bug.cgi?id=1356697