Add a Rake task to aid in rotating otp_key_base
What does this MR do?
Changing otp_key_base
invalidates every entry in users.otp_secret
. This MR adds a rake task that can be used to update this column to work with the new value of otp_key_base
.
Are there points in the code the reviewer needs to double check?
Key rotation would probably take this form:
- Stop gitlab
- Run
rake gitlab:two_factor:rotate:apply
- Reconfigure gitlab with a new value for
otp_key_base
- Start gitlab
This creates an outage window where two-factor-auth users won't be able to log in (although existing sessions will continue to work) for the time period between the start of rake gitlab:two_factor:rotate:apply
and the restart.
Why was this MR needed?
Rotating the OTP encryption key is currently impossible to do without resetting all user OTP secrets. This MR introduces an approach that can preserve existing OTP secrets, albeit with an outage window.
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added - Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Branch has no merge conflicts with master
(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
Closes #29690