You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by ms...@apache.org on 2019/01/23 20:32:37 UTC
[incubator-openwhisk-deploy-kube] branch master updated: Enforce
unique keys for whisk.system and guest namespaces (#419)
This is an automated email from the ASF dual-hosted git repository.
msciabarra pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk-deploy-kube.git
The following commit(s) were added to refs/heads/master by this push:
new 462cda8 Enforce unique keys for whisk.system and guest namespaces (#419)
462cda8 is described below
commit 462cda8811ad093845977a672b8b460dd0630fce
Author: David Grove <dg...@users.noreply.github.com>
AuthorDate: Wed Jan 23 15:32:32 2019 -0500
Enforce unique keys for whisk.system and guest namespaces (#419)
Fixes #418
We require unique auth values for each subject. Check that the
whisk.auth.guest and whisk.auth.system keys are unique during
couchdb initialization and fail with a clear error message instead
of allowing an unusable system to be deployed.
Also add an explicit `rm` of the default keys right after the git clone
of the openwhisk repository to make sure they can't be used by mistake
in some subsequent script operation.
---
helm/openwhisk/configMapFiles/initCouchDB/initdb.sh | 12 ++++++++++--
helm/openwhisk/configMapFiles/installPackages/myTask.sh | 1 +
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh b/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh
index b42a1e9..d6171e5 100755
--- a/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh
+++ b/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh
@@ -7,11 +7,19 @@ pushd /openwhisk
git checkout $OW_GIT_TAG_OPENWHISK
popd
-# Copy the secrets whisk.auth.guest and whisk.auth.system into the cloned tree
-# overwriting the default values we cloned from git
+# Install the secrets whisk.auth.guest and whisk.auth.system into the cloned tree
+# after removing the defaults inherited from the checkout of openwhisk
+rm -f /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system
cp -f /etc/whisk-auth/guest /openwhisk/ansible/files/auth.guest
cp -f /etc/whisk-auth/system /openwhisk/ansible/files/auth.whisk.system
+# Sanity check: all subjects must have unique keys
+if cmp -s /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system; then
+ echo "FATAL ERROR: unable to initialize the OpenWhisk subjects database."
+ echo "Cannot use identical keys for whisk.auth.system and whisk.auth.guest."
+ exit 1
+fi
+
# generate db_local.ini so the ansible jobs know how to access the database
pushd /openwhisk/ansible
ansible-playbook -i environments/local setup.yml
diff --git a/helm/openwhisk/configMapFiles/installPackages/myTask.sh b/helm/openwhisk/configMapFiles/installPackages/myTask.sh
index dcee18e..183b266 100644
--- a/helm/openwhisk/configMapFiles/installPackages/myTask.sh
+++ b/helm/openwhisk/configMapFiles/installPackages/myTask.sh
@@ -13,6 +13,7 @@ export PROVIDER_DB_URL=$PROVIDER_DB_PROTOCOL://$PROVIDER_DB_USERNAME:$PROVIDER_D
git clone https://github.com/apache/incubator-openwhisk openwhisk
pushd openwhisk
git checkout $OW_GIT_TAG_OPENWHISK
+ rm -f /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system
popd
# Setup env for installRouteMgmt.sh