fedora-infrastructure

Clone
Source Code
GIT

#4108 Please add some files with passwords into private infra-repo
Closed: Fixed None Opened 10 years ago by msuchy.

Closed: Fixed
Reopen Issue

I have some files in Copr, which are sensitives as they contains passwords. Therefore I could not add them to ansible.git, but they need to that repo where are such files (where I do not have access).

You can grab those files directly from Copr, where all fedora-cloud memebers should have access.

On host copr-fe.cloud.fedoraproject.org it is file:
/etc/copr/copr.conf
on host copr-be it is:
/etc/copr/copr-be.conf

Hmm maybe it would be better if we store just that password as variable, so I can manage rest of that file, without problem.

If it is possible please create
$private/copr_vars.yml

and store there values from
host copr-fe.cloud.fedoraproject.org
file /etc/copr/copr.conf
variables BACKEND_PASSWORD, SECRET_KEY and SQLALCHEMY_DATABASE_URI

password in copr-be.conf is same as BACKEND_PASSWORD in copr.conf. So no need to do anything for copr-fe.cloud.

Once done, please confirm here the final paths in $private.git and I will update ansible.git

We have a ansible-private/vars.yml already thats included a lot of places. It seems to me that would be ok for this data?

We also include the following information for each thing in there:

purpose: what is this username or password for?

where to change: If you wanted to change this, where would you do so?

impact of public release: what would happen if this was released?

last changed: YYYY-MM-DD

Can you provide this info for those 3 items and I will get them added.

We have a ansible-private/vars.yml already thats included a lot of places. It seems to me that would be ok for this data?

OK

I'm not sure I follow this question, but I will try:

variable BACKEND_PASSWORD:

  • purpose: what is this username or password for?

this is password for authenticating copr's backend to frontend (they both have to have same password)

  • where to change: If you wanted to change this, where would you do so?

in copr-fe.cloud.fedoraproject.org in /etc/copr/copr.conf and in copr-be.cloud.fedoraproject.org /etc/copr/copr-be.conf

  • impact of public release: what would happen if this was released?

if this is publicly disclosed, anybody can act as builder for copr, pickup task and submit results, i.e create fake builds. He however could not change existing builds.

  • last changed: YYYY-MM-DD

2013-11-05

SECRET_KEY

  • purpose: what is this username or password for?

this is just salt for CSRF

  • where to change: If you wanted to change this, where would you do so?

on copr-fe in /etc/copr/copr.conf

  • impact of public release: what would happen if this was released?

most probably nothing, at worst he can create his owns csrf tokens

  • last changed: YYYY-MM-DD

2013-11-05

SQLALCHEMY_DATABASE_URI

  • purpose: what is this username or password for?

connections string to db

  • where to change: If you wanted to change this, where would you do so?

on copr-fe in /etc/copr/copr.conf
and if you change the password, you must be changed in db, to which this connection string point to.

  • impact of public release: what would happen if this was released?

If this is disclosed, and access to db is allowed over tcp and not restricted by host access, then you can change anything information about projects, get access to project. You could not change already builds, but you can forge new location of those builds.

  • last changed: YYYY-MM-DD

2013-11-05

ok. I have them setup. I used the following variable names:

copr_backend_password

copr_secret_key

copr_database_uri

Login to comment on this ticket.

Metadata
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.