We are deploying LakeFS into Azure Just a curious about what lakeFS #help

We are deploying LakeFS into Azure. Just a curious...

05/25/2023, 2:51 AM

We are deploying LakeFS into Azure. Just a curious about what

LAKEFS-ENCRYPT-SECRET

is used for ? We found that if we change that, all user cannot login anymore ... Is that key used to encrypt end user password/secret key ? Edit: I mean

LAKEFS_AUTH_ENCRYPT_SECRET_KEY

Ariel Shaqed (Scolnicov)

05/25/2023, 4:34 AM

Hi @HT, Welcome to the Azure lake! Are you referring to the configuration property auth.encrypt.secret_key? This is used primarily by the auth DB to store secret keys and passwords. Helps prevent various attacks on them if the DB itself leaks, including dictionary and rainbow table attacks. It should be a long random and secret string: if I know your key then there are several attacks I can mount against your database that may allow me to recover keys. IIRC we use the standard bcrypt here. There should be documentation for everything config related on https://docs.lakefs.io/reference/configuration.html. And, as always, please be sure to ask here or open an issue if any configuration property is missing!

05/25/2023, 4:36 AM

I am refering to this one:

05/25/2023, 4:38 AM

le me double check with our DevOps

05/25/2023, 4:40 AM

sorry, I mean

LAKEFS_AUTH_ENCRYPT_SECRET_KEY

Ariel Shaqed (Scolnicov)

05/25/2023, 4:58 AM

Sure, that's the same one! Same page explains how to convert field names in the config file into environment variables - and that's what you get. So you want a long random secret string there, and you cannot change that string. It will be used to protect passwords and secret keys using bcrypt.

05/25/2023, 6:14 AM

We had a situation where: we have lakefs running with users etc The we restarted the server but made a mistake of changing that key. We lost access to our lakefs: cannot login anymore We tried to put back the old key but still cannot logged back in. Is this expected?

05/25/2023, 6:14 AM

Is there a way to recover?

05/25/2023, 6:16 AM

We are lucky that this was just a test server. But if this happen with a production server, how do you recover?

Ariel Shaqed (Scolnicov)

05/25/2023, 6:16 AM

Ouch. Unfortunately bcrypt is really good at its job, and AFAIK there is no way to recover data without the key. If you reuse the old key value then you should be back inside.

Ariel Shaqed (Scolnicov)

05/25/2023, 6:17 AM

On production servers typically keys go into your secret store. So if your secret store is backed up you are okay.

05/25/2023, 6:18 AM

We do have the old key. We restarted the server and couldn't still get back in

05/25/2023, 6:18 AM

You are saying that we should be able to recover with the old key?

Ariel Shaqed (Scolnicov)

05/25/2023, 6:21 AM

Yes, the key should work. Can you post logs from startup and from a failed connection attempt, please? Or send them to @Lynn Rozen and me, of course.

05/25/2023, 6:22 AM

Ok. Good to know. I will try to retrieve the logs and ideally reproduce the issue (We already re deploy from scratch :p)

05/25/2023, 6:24 AM

Thanks for getting back

26 Views

Open in Slack

Previous Next