I have some files in Copr, which are sensitives as they contains passwords. Therefore I could not add them to ansible.git, but they need to that repo where are such files (where I do not have access).
You can grab those files directly from Copr, where all fedora-cloud memebers should have access.
On host copr-fe.cloud.fedoraproject.org it is file: /etc/copr/copr.conf on host copr-be it is: /etc/copr/copr-be.conf
Hmm maybe it would be better if we store just that password as variable, so I can manage rest of that file, without problem.
If it is possible please create $private/copr_vars.yml
and store there values from host copr-fe.cloud.fedoraproject.org file /etc/copr/copr.conf variables BACKEND_PASSWORD, SECRET_KEY and SQLALCHEMY_DATABASE_URI
password in copr-be.conf is same as BACKEND_PASSWORD in copr.conf. So no need to do anything for copr-fe.cloud.
Once done, please confirm here the final paths in $private.git and I will update ansible.git
We have a ansible-private/vars.yml already thats included a lot of places. It seems to me that would be ok for this data?
We also include the following information for each thing in there:
Can you provide this info for those 3 items and I will get them added.
OK
I'm not sure I follow this question, but I will try:
variable BACKEND_PASSWORD:
this is password for authenticating copr's backend to frontend (they both have to have same password)
in copr-fe.cloud.fedoraproject.org in /etc/copr/copr.conf and in copr-be.cloud.fedoraproject.org /etc/copr/copr-be.conf
if this is publicly disclosed, anybody can act as builder for copr, pickup task and submit results, i.e create fake builds. He however could not change existing builds.
2013-11-05
SECRET_KEY
this is just salt for CSRF
on copr-fe in /etc/copr/copr.conf
most probably nothing, at worst he can create his owns csrf tokens
SQLALCHEMY_DATABASE_URI
connections string to db
on copr-fe in /etc/copr/copr.conf and if you change the password, you must be changed in db, to which this connection string point to.
If this is disclosed, and access to db is allowed over tcp and not restricted by host access, then you can change anything information about projects, get access to project. You could not change already builds, but you can forge new location of those builds.
ok. I have them setup. I used the following variable names:
copr_backend_password
copr_secret_key
copr_database_uri
Login to comment on this ticket.