Add a Rake task to aid in rotating otp_key_base (!11881) · Merge requests · GitLab.org / GitLab FOSS

The source project of this merge request has been removed.

Nick Thomas requested to merge (removed):29690-rotate-otp-key-base into master Jun 02, 2017

What does this MR do?

Changing otp_key_base invalidates every entry in users.otp_secret. This MR adds a rake task that can be used to update this column to work with the new value of otp_key_base.

Are there points in the code the reviewer needs to double check?

Key rotation would probably take this form:

Stop gitlab
Run rake gitlab:two_factor:rotate:apply
Reconfigure gitlab with a new value for otp_key_base
Start gitlab

This creates an outage window where two-factor-auth users won't be able to log in (although existing sessions will continue to work) for the time period between the start of rake gitlab:two_factor:rotate:apply and the restart.

Why was this MR needed?

Rotating the OTP encryption key is currently impossible to do without resetting all user OTP secrets. This MR introduces an approach that can preserve existing OTP secrets, albeit with an outage window.

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

Changelog entry added, if necessary
Documentation created/updated
API support added
Tests
- Added for this feature/bug
- All builds are passing
Conform by the merge request performance guides
Conform by the style guides
Branch has no merge conflicts with master (if it does - rebase it please)
Squashed related commits together

What are the relevant issue numbers?

Closes #29690

Edited Jun 05, 2017 by Nick Thomas

Admin message