From a8eb5bdc9ec79c38293e91407f58dded8826c368 Mon Sep 17 00:00:00 2001 From: yoni Date: Mon, 13 Jan 2025 15:54:31 +0200 Subject: [PATCH 1/3] Document replacing credentials in a basic auth setup --- docs/security/access-control-lists.md | 28 +++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/security/access-control-lists.md b/docs/security/access-control-lists.md index 71156726ee2..e5b8d5a0e43 100644 --- a/docs/security/access-control-lists.md +++ b/docs/security/access-control-lists.md @@ -25,6 +25,34 @@ Existing lakeFS installations that have a single user and a single set of creden Installations that have more than one user / credentials will require to run a command and choose which set of user + credentials to migrate (more details [here](#migration-of-existing-user)) +### Replacing credentials + +To replace the credentials of the (single) user in a lakefs installation: +1. Delete the existing user: + ```shell + lakectl auth users delete --id + ``` +2. Shut down the lakeFS server - Required for invalidating the old credentials on the server +3. Create a new user, with the same name and new credentials: + ```shell + lakefs superuser --user-name + ``` + This will generate a new set of credentials, and will print it out to the screen: + ``` + credentials: + access_key_id: *** (omitted) + secret_access_key: *** (omitted) + ``` +4. Re-run lakeFS server + +{: .note .warning} +> Calling the `superuser` command with `--access-key-id` and without `--secret-access-key` will make lakefs try to +> import an existing user (see [Migration of existing user](#migration-of-existing-user)). +> In case you already deleted the user by following step (1), this import operation will **fail** and result in an +> **unrecoverable** state, and a clean installation is the only way out. +> +> In general, replacing credentials is a risky operation. Proceed with caution. + ## ACLs ACL server was moved out of core lakeFS and into a new package under `contrib/auth/acl`. From bde7622a5b62abd597bc5d2fc87e7382ff91b465 Mon Sep 17 00:00:00 2001 From: yonipeleg33 <51454184+yonipeleg33@users.noreply.github.com> Date: Tue, 14 Jan 2025 12:47:28 +0200 Subject: [PATCH 2/3] [CR] change wording --- docs/security/access-control-lists.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/security/access-control-lists.md b/docs/security/access-control-lists.md index e5b8d5a0e43..447d66fb9ad 100644 --- a/docs/security/access-control-lists.md +++ b/docs/security/access-control-lists.md @@ -27,7 +27,7 @@ Installations that have more than one user / credentials will require to run a c ### Replacing credentials -To replace the credentials of the (single) user in a lakefs installation: +In non-ACL setup (single user), replacing credentials can be done as follows: 1. Delete the existing user: ```shell lakectl auth users delete --id @@ -46,12 +46,12 @@ To replace the credentials of the (single) user in a lakefs installation: 4. Re-run lakeFS server {: .note .warning} -> Calling the `superuser` command with `--access-key-id` and without `--secret-access-key` will make lakefs try to -> import an existing user (see [Migration of existing user](#migration-of-existing-user)). +> Calling the `superuser` command with pre-defined `--access-key-id` and `--secret-access-key` is possible, +> but should be done with caution. Make sure that `--secret-access-key` is **not empty**, +> as providing an access key without a secret key will trigger an ACL import flow +> (see [Migration of existing user](#migration-of-existing-user)). > In case you already deleted the user by following step (1), this import operation will **fail** and result in an -> **unrecoverable** state, and a clean installation is the only way out. -> -> In general, replacing credentials is a risky operation. Proceed with caution. +> **unrecoverable** state, from which a clean installation is the only way out. ## ACLs @@ -102,4 +102,4 @@ For example, if you have a user with username `` and credential key lakefs superuser --user-name --access-key-id ``` -After running the command you will be able to access the installation using the user's access key id and its respective secret access key. \ No newline at end of file +After running the command you will be able to access the installation using the user's access key id and its respective secret access key. From 2dc6a56853e795fa060d20039de6bbdc6821605e Mon Sep 17 00:00:00 2001 From: yonipeleg33 <51454184+yonipeleg33@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:06:54 +0200 Subject: [PATCH 3/3] [CR] Tal's comments --- docs/security/access-control-lists.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/security/access-control-lists.md b/docs/security/access-control-lists.md index 447d66fb9ad..34532175a58 100644 --- a/docs/security/access-control-lists.md +++ b/docs/security/access-control-lists.md @@ -25,9 +25,9 @@ Existing lakeFS installations that have a single user and a single set of creden Installations that have more than one user / credentials will require to run a command and choose which set of user + credentials to migrate (more details [here](#migration-of-existing-user)) -### Replacing credentials +### Credentials Replacement -In non-ACL setup (single user), replacing credentials can be done as follows: +In a single user setup, replacing credentials can be done as follows: 1. Delete the existing user: ```shell lakectl auth users delete --id