airship
/
maas
Code Issues Proposed changes

Support rotation for maas region secret 

More details on this bug - https://bugs.launchpad.net/maas/+bug/1850180

Change-Id: I52312ccec74a1973fdb7aebe3bfc6c0088004ad5
This commit is contained in:
Nishant Kumar 2019-10-28 15:59:05 +00:00 committed by Nishant Kumar
parent 628ca509bc
commit d86e3fa479
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
images/maas-region-controller/2.3_region_secret_rotate.patch Normal file
View File

@ -0,0 +1,20 @@
diff --git a/src/maasserver/security.py b/src/maasserver/security.py
index e931b89..44fad1a 100644
--- a/src/maasserver/security.py
+++ b/src/maasserver/security.py
@@ -105,10 +105,11 @@ def get_shared_secret_txn():
elif secret_in_db == secret_on_fs:
secret = secret_in_db # or secret_on_fs.
else:
- raise AssertionError(
- "The secret stored in the database does not match the secret "
- "stored on the filesystem at %s. Please investigate." %
- get_shared_secret_filesystem_path())
+ # (nk613n): When we rotate secrets we only update the filesystem
+ # so if the secrets don't match we will default to the FS
+ # secret and set it in the database (set_config function)
+ secret = secret_on_fs
+ Config.objects.set_config("rpc_shared_secret", to_hex(secret))
return secret

3
images/maas-region-controller/Dockerfile
View File

@ -75,17 +75,20 @@ COPY 2.3_proxy_acl.patch /tmp/2.3_proxy_acl.patch
# Patch to add retrying to MaaS BMC user setup, and improve exception handling
copy 2.3_configure_ipmi_user.patch /tmp/2.3_configure_ipmi_user.patch
COPY 2.3_secure_headers.patch /tmp/2.3_secure_headers.patch
COPY 2.3_region_secret_rotate.patch /tmp/2.3_region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.3_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.3_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/2.3_bios_grub_partition.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_storage.py < /tmp/2.3_bios_grub_preseed.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/2.3_region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_enlist.sh < /tmp/2.3_maas_enlist.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets && patch maas_ipmi_autodetect.py < /tmp/2.3_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch ipaddr.py < /tmp/2.3_mac_address.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/2.3_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.3_secure_headers.patch
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service
RUN mkdir -p /etc/systemd/system/basic.target.wants ;\
ln -s /etc/systemd/system/journalctl-to-tty.service /etc/systemd/system/basic.target.wants/journalctl-to-tty.service