Graylog2-server: make password rotation possible
Expected Behavior
It should be possible to change password_secret in some way.
Current Behavior
It is not possible to change the password once data is stored in the DB.
Possible Solution
Give the option to add a new password to the server.conf and remove the old one or provide any kind of commandline option to change the password during runtime.
- Graylog Version: 2.4.5
jalogisch
All 3 comments
Given that the background for this is overly eager auditors who think that this is a password because it says password in the name, we should rename it to encryption_salt (or something similar) in the default configuration file, but keep backwards compatibility for the old name.
lennartkoopmann
on 28 Jun 2018
@lennartkoopmann Except that it is being used as a password for encrypting and decrypting LDAP settings (at least the first 16 characters):
https://github.com/Graylog2/graylog2-server/blob/8e18e6aec597bd0895e5525e652995e3d34a1a6b/graylog2-server/src/main/java/org/graylog2/security/ldap/LdapSettingsImpl.java#L153-L156
joschi
on 29 Jun 2018
will this be added ?
the only concern i have is when i use the ldap settings. for auth users to graylog.. since i cant then change the admin pwd sectret,
this is no issue when using local users or change admin pwd
// Anders
dio99
on 25 Feb 2019
Related issues
mikkolehtisalo
路
4Comments
naisanza
路
4Comments
albix
路
3Comments
hc4
路
4Comments
jozefbarcin
路
3Comments
Most helpful comment
Given that the background for this is overly eager auditors who think that this is a password because it says
passwordin the name, we should rename it toencryption_salt(or something similar) in the default configuration file, but keep backwards compatibility for the old name.