Rotation for the maas shared secret key does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Invalid
|
Medium
|
Unassigned |
Bug Description
when rotating the 'rpc_shared_secret' I see the following error:
Oct 24 19:26:38 maas-region-1 maas.start-up[92]: [warn] Error during start-up; pausing for 3 seconds.
Oct 24 19:26:38 maas-region-1 sh[88]: 2019-10-24 19:26:38 maasserver.
Oct 24 19:26:38 maas-region-1 sh[88]: Traceback (most recent call last):
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: yield security.
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: result = inContext.theWork()
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: inContext.theWork = lambda: context.call(ctx, func, *args, **kw)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return self.currentCon
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return func(args,*kw)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return func(*args, **kwargs)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: result = func(*args, **kwargs)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return func(*args, **kwargs)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return func(*args, **kwargs)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return func_outside_
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return func(*args, **kwargs)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: return func(*args, **kwds)
Oct 24 19:26:38 maas-region-1 sh[88]: File "/usr/lib/
Oct 24 19:26:38 maas-region-1 sh[88]: get_shared_
Oct 24 19:26:38 maas-region-1 sh[88]: AssertionError: The secret stored in the database does not match the secret stored on the filesystem at /var/lib/
I am using the maas chart here - https:/
By looking at the maas source code it appears that the rotation is not supported i.e. the setting of 'rpc_shared_secret' to database is only done if the value is None (first time).
Problematic code (according to me) - https:/
For supporting the rotation i would expect the secret to be set to database even in the case when it is not none while the secret in filesystem is already set.
Changed in maas: | |
status: | New → Triaged |
importance: | Undecided → Medium |
information type: | Private Security → Public |
The helm chart is 3rd party, and may contain issues - there is a way to rotate the secret by stopping MAAS, updating the database and the files that contain it (all region secret files), and the chart may not be doing that.
Having said that - MAAS today does not offer an easy way to rotate secrets. We added secret rotation feature to our roadmap, no timeline yet.