commit | 897f7c60477c57c828068e2c33fd66de045e1cee | [log] [tgz] |
---|---|---|
author | Luca Milanesio <luca.milanesio@gmail.com> | Mon May 01 00:04:49 2017 +0100 |
committer | Luca Milanesio <luca.milanesio@gmail.com> | Fri May 12 16:13:23 2017 +0100 |
tree | 8a1eb8acb2b11fa5988644ac4ac5e4febb62ad27 | |
parent | c4a76f738a2a62f504838a125a392ce6928d2100 [diff] |
Allow reloading secure.config Align with Gerrit master ability to detect changes on secure.config and reload it dynamically. NOTE: The missing @Override annotations are explicitly left behind to allow both stable-2.14 and master compilations succeed Change-Id: Idc8ec91d2eba6ab7e3d93699403f2388bb04f0bf
Encrypt all the values contained in the Gerrit's secure.config.
Clone the secure-config plugin into a Gerrit source tree under the directory plugins/secure-config, and then run:
$ bazel build plugins/secure-config
Resulting plugin jar is generated under bazel-genfiles/plugins/secure-config/secure-config.jar
Differently from the other plugins, secure-config needs to be copied to the /lib directory of Gerrit installation.
Example:
$ cp bazel-genfiles/plugins/secure-config/secure-config.jar $GERRIT_SITE/lib/
Add the gerrit.secureStoreClass configuration entry in gerrit.config to instruct Gerrit to use the secure-store plugin for the encryption and decryption of all values contained in your secure.config file.
Example:
$ cat - >> $GERRIT_SITE/etc/gerrit.config [gerrit] secureStoreClass = com.googlesource.gerrit.plugins.secureconfig.SecureConfigStore ^D
Gerrit secure.config properties need to be generated and managed using the Gerrit init wizard. All the passwords entered at init will be stored as encrypted values and then decrypted on-the-fly when needed at runtime.
Example:
$ cd $GERRIT_SITE && java -jar bin/gerrit.war init Using secure store: com.googlesource.gerrit.plugins.secureconfig.SecureConfigStore *** Gerrit Code Review 2.13.2-1146-ga89e6a3 [...] $ cat etc/secure.config [auth] registerEmailPrivateKey = hfMC1Yi9NF5N3Yz7cVNUdJNPQfbb2g47RnaPElTraTh0MMB2OE+xeg==
Default settings are fully working but are meant to be use for DEMO purpose only. You typicallty need to customize them according to your Company's Policies about passwords and confidential data encryption standards.
See below the gerrit.config parameters to customize the encryption security settings.
The JCE cryptographic provider for the encryption algorithms and security keys.
Default: SunJCE
The encyrption algorithm to be used for encryption. Different JCE providers provide a different set of cryptographic algorithms.
Default: PBEWithMD5AndDES.
NOTE - The default value is considered insecure and should not be used in production
The device or file where to retrieve the encryption passphrase.
Default: /dev/zero
NOTE - The all-zeros password is considered insecure and should not be used in production
The length in bytes of the password read from the passwordDevice.
Default: 8
NOTE - A 8-bytes (64-bit) password length is considered insecure and should not be used in production
Encoding to use when encrypting/decrypting values from secure.config.
Default: UTF-8