Bug 1356697
| Summary: | Unable to create a new v2_key when the old one is removed | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Jan Krocil <jkrocil> | |
| Component: | Appliance | Assignee: | Keenan Brock <kbrock> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | luke couzens <lcouzens> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 5.5.0 | CC: | abellott, cpelland, gtanzill, jhardy, kbrock, lcouzens, obarenbo, simaishi | |
| Target Milestone: | GA | Keywords: | TestOnly, ZStream | |
| Target Release: | 5.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | appliance:cli:black | |||
| Fixed In Version: | 5.7.0.0 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1357520 (view as bug list) | Environment: | ||
| Last Closed: | 2017-01-11 20:06:29 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1357520 | |||
|
Comment 3
Keenan Brock
2016-07-15 20:52:21 UTC
1. I'm seeing this warning in 5.5.5.2 and master 2. Is it generating the key for you? I'm seeing it generate the key for both versions New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/dd103d713c571b5649ba610559a04764a1c8a758 commit dd103d713c571b5649ba610559a04764a1c8a758 Author: Keenan Brock <kbrock> AuthorDate: Fri Jul 15 16:47:18 2016 -0400 Commit: Keenan Brock <kbrock> CommitDate: Fri Jul 15 17:29:59 2016 -0400 Don't load keys when generating keys Don't display a warning that the `v2_key` does not exist if we are in the process of generating the key. https://bugzilla.redhat.com/show_bug.cgi?id=1356697 details: To generate a new appliance encryption key (aka `v2_key`), a user removes and adds a key: ``` mv certs/v2_key certs/v2_key.old bundle exec ruby tools/fix_auth.rb --key ``` This displays a warning, and looks like it fails but the key is generated: ``` On an appliance, it should be generated on boot by evmserverd. If you're a developer, you can copy the certs/v2_key.dev to certs/v2_key. Caution, using the developer key will allow anyone with the public developer key to decrypt the two-way passwords in your database. ``` Now if the user had not deleted the old `certs/v2_key` then it would throw and error and not generate a new `v2_key`. But if you note, it is very hard for the user to know if this is a problem or not: ``` Only generate one encryption_key (v2_key) per installation. Chances are you did not want to overwrite this file. If you do this all encrypted secrets in the database will not be readable. Please backup your key and run again. tools/fix_auth/fix_auth.rb:50:in `rescue in generate_password': File exists - File exists @ rb_sysopen - certs/v2_key (Errno::EEXIST) from tools/fix_auth/fix_auth.rb:42:in `generate_password' from tools/fix_auth/fix_auth.rb:90:in `run' from tools/fix_auth/cli.rb:37:in `run' from tools/fix_auth/cli.rb:41:in `run' from ./tools/fix_auth.rb:24:in `<main>' ``` Solution is to not show the warning if in the process of generating the key tools/fix_auth/fix_auth.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) fixed on 5.6 and 5.7 Let me know if you need anything else --K Verified in 5.7.0.0 |