Channels
announcements
blockers_for_windward
career-opportunities
celebrations
cuddle-corner
data-discussion
data-events
dev
events
general
help
iceberg-integration
lakefs-for-beginners
lakefs-hubspot-cloud-registration-email-automation
lakefs-releases
lakefs-suggestions
lakefs-twitter
linen-dev
memes-and-banter
say-hello
stackoverflow
test
Title
h
HT
05/25/2023, 2:51 AMWe are deploying LakeFS into Azure. Just a curious about what
LAKEFS-ENCRYPT-SECRETLAKEFS_AUTH_ENCRYPT_SECRET_KEYa
Ariel Shaqed (Scolnicov)
05/25/2023, 4:34 AMHi @HT,
Welcome to the Azure lake!
Are you referring to the configuration property auth.encrypt.secret_key? This is used primarily by the auth DB to store secret keys and passwords. Helps prevent various attacks on them if the DB itself leaks, including dictionary and rainbow table attacks. It should be a long random and secret string: if I know your key then there are several attacks I can mount against your database that may allow me to recover keys. IIRC we use the standard bcrypt here.
There should be documentation for everything config related on https://docs.lakefs.io/reference/configuration.html. And, as always, please be sure to ask here or open an issue if any configuration property is missing!
h
HT
05/25/2023, 4:36 AMI am refering to this one:
le me double check with our DevOps
sorry, I mean
LAKEFS_AUTH_ENCRYPT_SECRET_KEYa
Ariel Shaqed (Scolnicov)
05/25/2023, 4:58 AMSure, that's the same one! Same page explains how to convert field names in the config file into environment variables - and that's what you get.
So you want a long random secret string there, and you cannot change that string. It will be used to protect passwords and secret keys using bcrypt.
h
HT
05/25/2023, 6:14 AMWe had a situation where: we have lakefs running with users etc
The we restarted the server but made a mistake of changing that key. We lost access to our lakefs: cannot login anymore
We tried to put back the old key but still cannot logged back in. Is this expected?
Is there a way to recover?
We are lucky that this was just a test server. But if this happen with a production server, how do you recover?
a
Ariel Shaqed (Scolnicov)
05/25/2023, 6:16 AMOuch. Unfortunately bcrypt is really good at its job, and AFAIK there is no way to recover data without the key.
If you reuse the old key value then you should be back inside.
On production servers typically keys go into your secret store. So if your secret store is backed up you are okay.
h
HT
05/25/2023, 6:18 AMWe do have the old key. We restarted the server and couldn't still get back in
You are saying that we should be able to recover with the old key?
a
Ariel Shaqed (Scolnicov)
05/25/2023, 6:21 AMYes, the key should work. Can you post logs from startup and from a failed connection attempt, please? Or send them to @Lynn Rozen and me, of course.
h
HT
05/25/2023, 6:22 AMOk. Good to know. I will try to retrieve the logs and ideally reproduce the issue
(We already re deploy from scratch :p)
Thanks for getting back