Automate the Django's app secretkey generation in the charm scripts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Capomastro |
Fix Released
|
Low
|
Caio Begotti |
Bug Description
<skay> roadmr: I feel silly for not knowing, but wouldn't we need to keep around the django secret key once we generate it so that we can decrypt previous user data?
<caio1982> i just had a chat about it with roadmr a moment ago, lol
<skay> roadmr: I have not studied how django does encryption and etc enough
<caio1982> one old django key "leaked"
<roadmr> skay: no idea, from what I read, django uses it internally to encrypt/salt keys
<skay> doh, I missed it, scrollup?
<roadmr> skay: er not keys, but session data, cookies and what not
<caio1982> skay: nope, in pvt because i was afraid it would be a big screw up
<roadmr> skay: so it's not used to actually encrypt any valuable information, it can be considered "throwaway" within the scope/lifetime of a single django deployment
<skay> roadmr: oh! okay
<caio1982> skay: an old django key was commited long ago in the repo and it was eventually packaged and made public, i was wondering if i should freak out about it, but seems it was a testing key that nobody knows about
<skay> roadmr: so juju can generate a secret key every time neat
<skay> caio1982: oh good then. no disaster
<roadmr> skay: so worst-case scenario if you have to change the existing key: all existing in-the-wild sessions for that application will become invalid and people would lose their progress, have to log out/in again
<roadmr> skay, caio1982 : exactly, it's not a disaster if we have to regen that key
<caio1982> question: should the charm handle this key generation every time or the person deploying it should create/set it manually for some reason?
<roadmr> this explains very nicely what the key is used for: http://
<skay> when I was first learning how to deploy a django app, I started out using heroku and followed the model of having env settings ... and then when heroku got too expensive I switched to rackspace but still used environment vars
<roadmr> caio1982: since it's just for internal django security/forgery prevention, it's of no material value to the deployer or user
<caio1982> roadmr: i'll file a bug to get this sorted on capomastro's charm then
<caio1982> it should be trivial to automate it
<roadmr> caio1982: it'd be easier to ask the human to provide the key but then we burden the human with generating a "magic" value that is of no actual concern, so we should really automate it (see my comment on the MR)
Related branches
- Daniel Manrique (community): Approve
-
Diff: 134 lines (+51/-2)7 files modifiedREADME (+5/-0)
config.yaml (+5/-1)
hooks/config-changed (+16/-1)
hooks/install (+13/-0)
inc/common (+2/-0)
templates/capomastro_key_settings.tmpl (+2/-0)
templates/capomastro_local_settings.tmpl (+8/-0)
summary: |
- Automate the Django's app secretkey generation + Automate the Django's app secretkey generation in the charm scripts |
Changed in capomastro: | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in capomastro: | |
status: | Confirmed → Fix Released |
assignee: | nobody → Caio Begotti (caio1982) |