#6891 Give staging Bodhi a WaiverDB access token
Closed: Fixed 2 years ago Opened 2 years ago by bowlofeggs.

  • Describe what you need us to do:
    Bodhi's production.ini.j2 template has a waiverdb.access_token setting. We have a token that we can use for production, but we also need one for staging.

  • When do you need this? (YYYY/MM/DD)
    When it is convenient.

  • When is this no longer needed or useful? (YYYY/MM/DD)
    When Bodhi no longer integrates with WaiverDB.

  • If we cannot complete your request, what is the impact?
    I cannot test Bodhi's WaiverDB integration in staging.


Metadata Update from @bowlofeggs:
- Issue tagged with: authentication

2 years ago

I had a meeting with Patrick just now and he suggested that it would be handy if we had a script that could take some parameters and print out some SQL to be run on Ipsilon's DB by hand. I agreed to create this script and put it in our Ansible repo's scripts folder. I will assign this ticket to myself while I write that script, and then I will assign it to Patrick for him to use it to generate a token for Bodhi.

Metadata Update from @bowlofeggs:
- Issue assigned to bowlofeggs

2 years ago

OK, I've written a script in our Ansible playbook that can be used to create a token. It will spit out some SQL you can run against Ipsilon's database (in this case, to be run on staging Ipsilon) for the given scopes and service, and will print out the token to be used in Bodhi.

http://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=4b70054

Run ./scripts/generate-oidc-token --help for usage details.

I do not have access to run SQL against Ipsilon's DB, so I need an admin to run this for me.

Metadata Update from @bowlofeggs:
- Assignee reset

2 years ago

I've now written an SOP snippet about how to do this as well:

https://pagure.io/infra-docs/pull-request/106

OK, I think I need this command run for me by a super duper admin:

$ ./scripts/generate-oidc-token bodhi -e 365 -s https://waiverdb.fedoraproject.org/oidc/create-waiver

Of course, the token is a secret - can you put it in the Ansible secrets for me and tell me the variable name? There's a production variable called "bodhi2WaiverToken", so maybe "bodhistgWaiverToken"?

Done. Please let us know if it has any issues.

:tokyo_tower:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Can you tell me the Ansible variable that has this secret? I tried bodhistgWaiverToken but Ansible said that variable is undefined.

Metadata Update from @bowlofeggs:
- Issue status updated to: Open (was: Closed)

2 years ago

@smooge got me the variable name. Thanks!

Metadata Update from @bowlofeggs:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

We were testing this integration in staging earlier today and we were getting a 401 error.. Turns out that when we create a token for 1 year, it is valid for... 1 year and after 1 year, it needs to be re-generated :)

So I've re-created a token for staging, we re-deployed staging and suddenly bodhi update waive started working again.

I'm going to update the token for prod but I'll let @abompard decides if he want to re-deploy prod as well or wait some more.

Any ways to check if the token used is still valid ? if so we could probably have a nagios check for that or something to help remember that we need to renew the token. Otherwise in 1 year we will have the same problem :stuck_out_tongue:

Any ways to check if the token used is still valid ? if so we could probably have a nagios check for that or something to help remember that we need to renew the token. Otherwise in 1 year we will have the same problem :stuck_out_tongue:

AFAIK we do not have such things, maybe by trying to authenticate via ipsilon?
No idea :(

Login to comment on this ticket.

Metadata