Deuxfleurs/garage
41
56
Fork 73
Code Issues 98 Pull requests 14 Releases 30 Wiki Activity

Add a --yes flag + checks to garage key import #278

New issue
Closed
opened 2022-03-30 16:54:21 +00:00 by kinovic · 6 comments
kinovic commented 2022-03-30 16:54:21 +00:00
Copy link

We are thinking about deploying garage as our main S3 storage, we like idea about it a lot. we have found nice feature, which in most cases is good, but is a bit painfull in another.

Matching resources as startsWith is usually great, fe setting up cluster, where I can reference it by two characters. But when working with keys it comes with some problems.

root@garage-1-a:~# garage -c /etc/garage/spin.toml key list
List of keys:
  backup             Imported key
  deb-prod-repo      Imported key
  deb-prod-repo-rw   Imported key
  deb-stage-repo     Imported key
  deb-stage-repo-rw  Imported key
  dupla              Imported key
root@garage-1-a:~# garage -c /etc/garage/spin.toml key info deb-prod-repo
Error: 2 matching keys

it would be nice if we can match the key ids exact, would make our lifes easier, something like
garage -c /etc/garage/spin.toml key info deb-prod-repo --exact-id-match

anyway guys, great work.

We are thinking about deploying garage as our main S3 storage, we like idea about it a lot. we have found nice feature, which in most cases is good, but is a bit painfull in another. Matching resources as `startsWith` is usually great, fe setting up cluster, where I can reference it by two characters. But when working with keys it comes with some problems. ``` root@garage-1-a:~# garage -c /etc/garage/spin.toml key list List of keys: backup Imported key deb-prod-repo Imported key deb-prod-repo-rw Imported key deb-stage-repo Imported key deb-stage-repo-rw Imported key dupla Imported key root@garage-1-a:~# garage -c /etc/garage/spin.toml key info deb-prod-repo Error: 2 matching keys ``` it would be nice if we can match the key ids `exact`, would make our lifes easier, something like `garage -c /etc/garage/spin.toml key info deb-prod-repo --exact-id-match` anyway guys, great work.
kinovic commented 2022-03-30 18:34:49 +00:00
Author
Copy link

when using name instead keyId it works as expected, so we might stay with name now.

root@garage-1-a:~# garage -c /etc/garage/spin.toml key list
List of keys:
  GK2ac2b18ef4bcf0cff87d5ee0  backup
  GK4f42d16d563213de1fa3ad9e  deb-stage-repo
  GK7189cff9b9a7ea7e268bbc96  deb-prod-repo-rw
  GKa00ec29b46b28a5218caac25  deb-prod-repo
  GKa67f7b11a714be63ae336e95  dupla
  GKfe8139f7030d7352e061dcee  deb-stage-repo-rw
root@garage-1-a:~# garage -c /etc/garage/spin.toml key info deb-prod-repo
Key name: deb-prod-repo
Key ID: GKa00ec29b46b28a5218caac25
Secret key: 53c7b5ff375669cc640870de4f83f1adc4a1e61e549549d612fbc73176547057
Can create buckets: false

Key-specific bucket aliases:

Authorized buckets:
when using name instead keyId it works as expected, so we might stay with name now. ``` root@garage-1-a:~# garage -c /etc/garage/spin.toml key list List of keys: GK2ac2b18ef4bcf0cff87d5ee0 backup GK4f42d16d563213de1fa3ad9e deb-stage-repo GK7189cff9b9a7ea7e268bbc96 deb-prod-repo-rw GKa00ec29b46b28a5218caac25 deb-prod-repo GKa67f7b11a714be63ae336e95 dupla GKfe8139f7030d7352e061dcee deb-stage-repo-rw root@garage-1-a:~# garage -c /etc/garage/spin.toml key info deb-prod-repo Key name: deb-prod-repo Key ID: GKa00ec29b46b28a5218caac25 Secret key: 53c7b5ff375669cc640870de4f83f1adc4a1e61e549549d612fbc73176547057 Can create buckets: false Key-specific bucket aliases: Authorized buckets: ```
quentin commented 2022-03-31 09:00:40 +00:00
Owner
Copy link

Thanks for your feedback, it is valuable to us!

I will rephrase your issue within our context and our assumptions, it will help you understand the current behavior of the CLI.

Early in Garage's development, we chose arbitrarily that access keys would be generated strings starting with GK followed by 12 random bytes encoded in hexadecimal. This is a choice similar to AWS but different from Minio that allow users to set the access key to whatever value they want.

At this moment, we were also making some heavy refactors to the data model, one of them involved manually reimporting the keys, hence we introduced the import subcommand to reinject keys previously generated by Garage, but we did not expect that people would use it to create keys with a custom identifier.

In the context of Garage, there is an advantage to use generated keys instead of user defined ones. As you may know, Garage tries to reduce synchronization in the cluster to avoid amplifying the existing latency between nodes. If 2 operators are creating a key with the same identifier from 2 different nodes more or less at the same time, the action will succeed from both sides, but later both identifiers will be merged and only one secret key will remain. However, if you rely on our randomly generated keys, and put names (aliases) on them, we overcome this problem: 2 different keys can have the same name on the cluster as long as their identifier is different.

As a conclusion, we never expected to match a key identifier that is not exactly 26 characters long, which is why we did not consider the case where one identifier is a substring of another one. In the end, we must know if we want to modify garage to officially supports custom key identifiers, and thus adapt our subcommands additionnaly to our matching logic, or we should disable it. Your issue raises multiple questions:

  • Should we allow users to set their own key identifier despite the risks?
  • Should we remove the import subcommand? Or hide it somewhere else?
  • Should we add a warning? What should we write?
  • Should we check in the import subcommand that key identifiers and secret keys follow a specific pattern (exactly 26 characters long, starting with GK, etc.)

I would recommend at least implementing the last point, checking the format of the identifier and secret. We might also discuss adding an hidden --yes or --force flag displaying a message that this command is reserved for migrations and should not be used to add custom values.

@kinovic: your second approach, by setting a --name, is the "correct" one. You can use these aliases on all other commands, for example garage bucket allow --read --key dupla my-bucket. Please not that you also "leaked" the secret key of deb-prod-repo. If you intend to use this cluster for production use, you should rotate this key.

Thanks for your feedback, it is valuable to us! I will rephrase your issue within our context and our assumptions, it will help you understand the current behavior of the CLI. Early in Garage's development, we chose arbitrarily that access keys would be generated strings starting with `GK` followed by 12 random bytes encoded in hexadecimal. This is a choice similar to AWS but different from Minio that allow users to set the access key to whatever value they want. At this moment, we were also making some heavy refactors to the data model, one of them involved manually reimporting the keys, hence we introduced the `import` subcommand to reinject keys previously generated by Garage, but we did not expect that people would use it to create keys with a custom identifier. In the context of Garage, there is an advantage to use generated keys instead of user defined ones. As you may know, Garage tries to reduce synchronization in the cluster to avoid amplifying the existing latency between nodes. If 2 operators are creating a key with the same identifier from 2 different nodes more or less at the same time, the action will succeed from both sides, but later both identifiers will be merged and only one secret key will remain. However, if you rely on our randomly generated keys, and put names (aliases) on them, we overcome this problem: 2 different keys can have the same name on the cluster as long as their identifier is different. As a conclusion, we never expected to match a key identifier that is not exactly 26 characters long, which is why we did not consider the case where one identifier is a substring of another one. In the end, we must know if we want to modify garage to officially supports custom key identifiers, and thus adapt our subcommands additionnaly to our matching logic, or we should disable it. Your issue raises multiple questions: - Should we allow users to set their own key identifier despite the risks? - Should we remove the `import` subcommand? Or hide it somewhere else? - Should we add a warning? What should we write? - Should we check in the `import` subcommand that key identifiers and secret keys follow a specific pattern (exactly 26 characters long, starting with `GK`, etc.) I would recommend at least implementing the last point, checking the format of the identifier and secret. We might also discuss adding an hidden `--yes` or `--force` flag displaying a message that this command is reserved for migrations and should not be used to add custom values. @kinovic: your second approach, by setting a `--name`, is the "correct" one. You can use these aliases on all other commands, for example `garage bucket allow --read --key dupla my-bucket`. Please not that you also "leaked" the secret key of `deb-prod-repo`. If you intend to use this cluster for production use, you should rotate this key.
quentin changed title from Improve way how to detect/select items to garage key import is used to create custom key identifiers and lead to weird behaviors 2022-03-31 09:03:27 +00:00
quentin added the
kind
wrong-behavior
 label 2022-03-31 09:03:58 +00:00
quentin added the
scope
documentation
 label 2022-03-31 09:12:57 +00:00
kinovic commented 2022-03-31 17:04:02 +00:00
Author
Copy link

thx for pointing out of leaked key, but this is pure development/testing (probably already wiped multiple of times).

for us/me import feature is nice and great in what we are doing, so having it would save us if we loose the cluster and need to rebuild, since read keys would be distributed on multiple places already.

in our flow, what we are doing right now we are OK only with new keys (randomly generated), because it is done only once and secrets are exported (future into some vault), they get distributed into our ci, developer machines etc. What would be a bit painfull is, if we loose cluster. In that case import would help us a lot, because we do not have to redistribute all the keys again.

IMHO:

  • Should we allow users to set their own key identifier despite the risks?
    yes, just document it. Like: it was designed to use GK(24chars) exactly and if you use something else there are some limitation. You cannot have key as substring of another otherwise it will lead to unexpected scenarios
  • Should we remove the import subcommand? Or hide it somewhere else?
    please leave it somewhere
  • Should we add a warning? What should we write?
    dude you are doing unsuported thing... It might and will lead into unexpected behavior
  • Should we check in the import subcommand that key identifiers and secret keys follow a specific pattern (exactly 26 characters long, starting with GK, etc.)
    no, see above, just note that you are using this feature at own risk and might and will lead into unexpected behavior, even when you enforce some logic, you will hit problem with repeating keys, as I understand you cannot use deleted key anyway
thx for pointing out of leaked key, but this is pure development/testing (probably already wiped multiple of times). for us/me import feature is nice and great in what we are doing, so having it would save us if we loose the cluster and need to rebuild, since read keys would be distributed on multiple places already. in our flow, what we are doing right now we are OK only with new keys (randomly generated), because it is done only once and secrets are exported (future into some vault), they get distributed into our ci, developer machines etc. What would be a bit painfull is, if we loose cluster. In that case import would help us a lot, because we do not have to redistribute all the keys again. IMHO: * Should we allow users to set their own key identifier despite the risks? *yes, just document it. Like: it was designed to use GK(24chars) exactly and if you use something else there are some limitation. You cannot have key as substring of another otherwise it will lead to unexpected scenarios* * Should we remove the import subcommand? Or hide it somewhere else? *please leave it somewhere* * Should we add a warning? What should we write? *dude you are doing unsuported thing... It might and will lead into unexpected behavior* * Should we check in the import subcommand that key identifiers and secret keys follow a specific pattern (exactly 26 characters long, starting with GK, etc.) *no, see above, just note that you are using this feature at own risk and might and will lead into unexpected behavior, even when you enforce some logic, you will hit problem with repeating keys, as I understand you cannot use deleted key anyway*
quentin commented 2022-04-05 10:33:17 +00:00
Owner
Copy link

After discussing with the other maintainers, we think the following changes would be the best tradeoff between guiding our users to the best practises while giving them some margin:

  • Adding a --yes flag to garage key import (here) similarly to the one on garage migrate (here)
  • Aborting the command (here) if the --yes flag is not provided, similarly to garage migrate command (here). Saying something in the error message like This command is intended to re-import keys that were previously generated by Garage. If you want to create a new key, use "garage key new" instead. Add the --yes flag if you really want to re-import a key.
  • Checking that the key is exactly 26 characters long (it will prevent beginners from shooting themself in the foot while allowing expert users to break the system as they want ^^)

Let us know if you want to write a PR for this issue, otherwise we will put it in our backlog and write a patch in the coming weeks :-)

After discussing with the other maintainers, we think the following changes would be the best tradeoff between guiding our users to the best practises while giving them some margin: - Adding a `--yes` flag to `garage key import` ([here](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/cli/structs.rs#L342-L352)) similarly to the one on `garage migrate` ([here](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/cli/structs.rs#L354-L362)) - Aborting the command ([here](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/admin.rs#L555-L583)) if the `--yes` flag is not provided, similarly to `garage migrate` command ([here](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/garage/admin.rs#L585-L599)). Saying something in the error message like *This command is intended to re-import keys that were previously generated by Garage. If you want to create a new key, use "garage key new" instead. Add the --yes flag if you really want to re-import a key.* - Checking that the key is exactly 26 characters long (it will prevent beginners from shooting themself in the foot while allowing expert users to break the system as they want ^^) Let us know if you want to write a PR for this issue, otherwise we will put it in our backlog and write a patch in the coming weeks :-)
👍 1
kinovic commented 2022-04-11 07:38:25 +00:00
Author
Copy link

unfortunatelly I do not know about Rust a thing... So I cannot help :/ for me it would be totally new language to leard and right now I do have different priorities.

As I understand how it works now, I'm happy with current solution.

thx

unfortunatelly I do not know about Rust a thing... So I cannot help :/ for me it would be totally new language to leard and right now I do have different priorities. As I understand how it works now, I'm happy with current solution. thx
👍 1
quentin changed title from garage key import is used to create custom key identifiers and lead to weird behaviors to Add a --yes flag + checks to garage key import 2022-04-11 07:56:39 +00:00
quentin added
action
for-newcomers
 and removed
scope
documentation
 labels 2022-04-11 09:22:10 +00:00
lx added this to the v0.9 milestone 2022-10-16 19:11:53 +00:00
lx commented 2023-06-13 13:59:37 +00:00
Owner
Copy link

Added, will be merged in Garage v0.9

Added, will be merged in Garage v0.9
lx closed this issue 2023-06-13 13:59:37 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
update-dependencies-1.1
feat-metrics-metadata-engine
improve-secret-error-message
hotfix/1.0.0-rc1-red-ftr-wquorum
main-0.9.x
db-no-unsafe
main-0.8.x
k2v/shared_http_client
feat/website-redir
smithy2
test/compilation
poc/nomad-ci
test-ci-wait
pnet_datalink-0.33.0
optimal-layout
k2v-watch-range
db-debug-log
build-convert-db
demonstrate-cargo2nix-bug
dangerous/no-fsync
dev0.7.3
doc/benchmarks
bug/check_static
bucket-cors-more
storage-optimizations
old-main
v1.0.1
v1.0.0
v0.9.4
v1.0.0-rc1
v0.8.7
v0.9.3
v0.9.2
v0.8.6
v0.9.2-rc1
v0.9.1
v0.8.5
v0.10.0-beta1
v0.9.0
v0.9.0-rc2
v0.9.0-rc1
v0.9.0-beta4
v0.9.0-beta3
v0.9.0-beta2
v0.8.4
v0.9.0-beta1
v0.8.3
v0.8.3-rc1
format_table-v0.1.1
format_table-v0.1.0
v0.8.2
v0.8.1
v0.8.0
v0.8.0-rc2
v0.8.0-rc1
v0.8.0-dangerous-no-fsync
v0.8.0-beta2-k2v
v0.8.0-beta2
v0.8.0-beta1-k2v
v0.8.0-beta1
v0.7.99.3-k2v
v0.7.3
v0.7.3-beta2
v0.7.3-beta1
v0.7.2.1
v0.7.2
v0.7.2_ci-test-2
v0.7.2+ci-test-version
v0.7.99.2-k2v
v0.7.99.1-k2v
v0.7.99-k2v
v0.7.2-k2v
v0.7.1-admin-k2v-2
v0.7.1-admin-k2v
v0.7.1-k2v
v0.7.1
v0.7.0
v0.7.0-rc1
v0.6.1
v0.6.0
v0.6.0-rc1
v0.5.1
v0.5.0.1
v0.5.0
v0.5-beta1
v0.4.0
v0.4-rc2
v0.4-rc1
0.4-beta
0.4-alpha
v0.3.0.2
v0.3.0.1
v0.3.0
v0.2.1.5
v0.2.1
v0.2.0
0.1.1b
0.1.1
0.1.0b
0.1.0
Labels
Clear labels   
action
check-aws
The behaviour should be checked against AWS S3

  
action
discussion-needed
We need to discuss if the feature is desirable and/or better specify the envisioned behavior or technical implementation

  
action
for-external-contributors
Core team does not plan working on this in the near future however an external contribution will be reviewed & merged

  
action
for-newcomers
An issue that should be newcomer friendly.

  
action
more-info-needed
More information is needed to investigate this issue

  
action
need-funding
This issue represents lots of work, we need to find money to pay our core team work

  
action
triage-required
It's not very clear what we want to do with this issue yet, more thoughts is required

  
kind
correctness
Issues of theoretical correctness that may impact edge-case scenarios

  
kind
ideas
For abstract ideas/proposal to make Garage better, to better communicate our not yet achieved aims

  
kind
improvement
Feature requests that do not fall in other categories

  
kind
performance
Deceptive performance observed OR idea to improve performances

  
kind
testing
Functional tests, integration tests, Jepsen, etc.

  
kind
usability
Propositions to make Garage easier to operate, by improving error reporting, CLI, etc.

  
kind
wrong-behavior
Unintended behavior

  
prio
critical
Could impact integrity or availability of production clusters

  
prio
low
For issues that we don't want to spend time on until made absolutely necessary

  
scope
admin-api
Issues concerning the administration API

  
scope
background-healing
Background healing covers repair tasks, anti-entropy, merkle trees, etc. ; everything related to replicating data appropriately.

  
scope
build
Issues with Nix, Drone, Rust Compiler, etc.

  
scope
documentation

  
scope
k8s
Kubernetes related, including Helm Charts

  
scope
layout
Linked to the cluster layout and storage management

  
scope
metadata
Metadata Engine (LMDB, sqlite, etc.)

  
scope
ops
Operations related to operations/maintenance issue, tooling related (like CLI missing info ; impossible, too dangerous, too complicated migration, etc.)

  
scope
rpc
Linked to RPC

  
scope
s3-api
Related to the S3 API (especially compatibility issues).

  
scope
security
Cryptography-related, auth-related, authorization-related issues

  
scope
telemetry
OpenTelemetry (traces, metrics, etc.)

No labels
action
check-aws
action
discussion-needed
action
for-external-contributors
action
for-newcomers
action
more-info-needed
action
need-funding
action
triage-required
kind
correctness
kind
ideas
kind
improvement
kind
performance
kind
testing
kind
usability
kind
wrong-behavior
prio
critical
prio
low
scope
admin-api
scope
background-healing
scope
build
scope
documentation
scope
k8s
scope
layout
scope
metadata
scope
ops
scope
rpc
scope
s3-api
scope
security
scope
telemetry
Milestone
Clear milestone
No items
No milestone
v0.9
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/garage#278
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?