Closed
Bug 962970
Opened 10 years ago
Closed 10 years ago
Allow tokenserver to use a single signing secret for all nodes
Categories
(Cloud Services Graveyard :: Server: Token, defect)
Cloud Services Graveyard
Server: Token
Tracking
(Not tracked)
VERIFIED
WONTFIX
People
(Reporter: rfkelly, Assigned: rfkelly)
References
Details
(Whiteboard: [qa?])
Attachments
(2 files)
5.91 KB,
patch
|
Details | Diff | Splinter Review | |
2.36 KB,
patch
|
Details | Diff | Splinter Review |
To simplify our initial deployments of tokenserver+sync1.5, it will be handy to allow tokenserver to sign all tokens with a single, shared secret that is associated with all storage nodes. This means we don't have to block deployment on scripting/management of the secrets database.
Assignee | ||
Comment 1•10 years ago
|
||
To enable this, I've added a FixedSecrets class to mozsvc.secrets. It provides the same API as the existing Secrets class, but uses the same set of secrets for every node. I've also changed the auth-checking logic to validate that the user is in the right place - we used to get this for free, because the signature wouldn't validate on an incorrect node.
Assignee: nobody → rfkelly
Attachment #8364194 -
Flags: review?(telliott)
Assignee | ||
Comment 2•10 years ago
|
||
And here's the patch to make tokenserver use it. You can now specify either "secret" or "secrets_file" to use FixedSecrets or Secrets respectively.
Attachment #8364195 -
Flags: review?(telliott)
Updated•10 years ago
|
Whiteboard: [qa?]
Comment 3•10 years ago
|
||
This is possibly lowering the security of the whole system. We need to keep track of this and restore back to having a different secret per node later on :)
Assignee | ||
Comment 4•10 years ago
|
||
> This is possibly lowering the security of the whole system.
Yep. Actually I think I left all the default configs using secrets_file, so this will be a secret Ops switch that we can throw on/off as we need during deployment prep.
Assignee | ||
Comment 5•10 years ago
|
||
I synced up with Ops again this morning and it sounds like they're unblocked enough without needing to go this route, so I'm just going to close this out.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•10 years ago
|
Attachment #8364194 -
Flags: review?(telliott)
Assignee | ||
Updated•10 years ago
|
Attachment #8364195 -
Flags: review?(telliott)
Updated•1 year ago
|
Product: Cloud Services → Cloud Services Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•