Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document replacing credentials in a basic auth setup #8491

Merged
merged 3 commits into from
Jan 14, 2025
Merged

Document replacing credentials in a basic auth setup #8491

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a8eb5bd
Document replacing credentials in a basic auth setup
yonipeleg33 Jan 13, 2025
bde7622
[CR] change wording
yonipeleg33 Jan 14, 2025
2dc6a56
[CR] Tal's comments
yonipeleg33 Jan 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 29 additions & 1 deletion docs/security/access-control-lists.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,34 @@ Existing lakeFS installations that have a single user and a single set of creden
Installations that have more than one user / credentials will require to run a command and choose which set of user + credentials to migrate
(more details [here](#migration-of-existing-user))

### Credentials Replacement

In a single user setup, replacing credentials can be done as follows:
1. Delete the existing user:
```shell
lakectl auth users delete --id <user-id>
```
2. Shut down the lakeFS server - Required for invalidating the old credentials on the server
3. Create a new user, with the same name and new credentials:
```shell
lakefs superuser --user-name <user-id>
```
This will generate a new set of credentials, and will print it out to the screen:
```
credentials:
access_key_id: *** (omitted)
secret_access_key: *** (omitted)
```
4. Re-run lakeFS server

{: .note .warning}
> Calling the `superuser` command with pre-defined `--access-key-id` and `--secret-access-key` is possible,
> but should be done with caution. Make sure that `--secret-access-key` is **not empty**,
> as providing an access key without a secret key will trigger an ACL import flow
> (see [Migration of existing user](#migration-of-existing-user)).
> In case you already deleted the user by following step (1), this import operation will **fail** and result in an
> **unrecoverable** state, from which a clean installation is the only way out.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not good. You should at least provide a way to reset the super user here..

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ion-elgreco thanks for the feedback (!!)
You are right that it's not good, this specific scenario is an edge case that is not supported for OSS without ACL.
We created an issue to add programatic protection against this.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I added a response to the issue last night, for a possible quick solution


## ACLs

ACL server was moved out of core lakeFS and into a new package under `contrib/auth/acl`.
Expand Down Expand Up @@ -74,4 +102,4 @@ For example, if you have a user with username `<my-username>` and credential key
lakefs superuser --user-name <my-username> --access-key-id <my-access-key-id>
```

After running the command you will be able to access the installation using the user's access key id and its respective secret access key.
After running the command you will be able to access the installation using the user's access key id and its respective secret access key.
Loading