962970 - Allow tokenserver to use a single signing secret for all nodes

Status: VERIFIED WONTFIX

(Cloud Services Graveyard :: Server: Token, defect)

Description

[Ryan Kelly [:rfkelly]]

To simplify our initial deployments of tokenserver+sync1.5, it will be handy to allow tokenserver to sign all tokens with a single, shared secret that is associated with all storage nodes.  This means we don't have to block deployment on scripting/management of the secrets database.

Comment 1

[Ryan Kelly [:rfkelly]]

Attachment: fixedsecrets.diff

To enable this, I've added a FixedSecrets class to mozsvc.secrets.  It provides the same API as the existing Secrets class, but uses the same set of secrets for every node.

I've also changed the auth-checking logic to validate that the user is in the right place - we used to get this for free, because the signature wouldn't validate on an incorrect node.

Comment 2

[Ryan Kelly [:rfkelly]]

Attachment: ts-fixed-secrets.diff

And here's the patch to make tokenserver use it.  You can now specify either "secret" or "secrets_file" to use FixedSecrets or Secrets respectively.

Comment 3

[Alexis Metaireau (:alexis)]

This is possibly lowering the security of the whole system. We need to keep track of this and restore back to having a different secret per node later on :)

Comment 4

[Ryan Kelly [:rfkelly]]

> This is possibly lowering the security of the whole system.

Yep.  Actually I think I left all the default configs using secrets_file, so this will be a secret Ops switch that we can throw on/off as we need during deployment prep.

Comment 5

[Ryan Kelly [:rfkelly]]

I synced up with Ops again this morning and it sounds like they're unblocked enough without needing to go this route, so I'm just going to close this out.

Comment 6

[James Bonacci [:jbonacci]]

Ok then