soreana commented on PR #6812:
URL: https://github.com/apache/cloudstack/pull/6812#issuecomment-1693418068
> > LGTM, tested the PR manually, here are the steps and results:
> >
> > 1. Created an account and domain in my test environment, and set the
following configurations:
> > **Account**: `allow.duplicate.networkname` -> false,
`allow.public.user.templates` -> false, `account.allow.expose.host.hostname` ->
true;
> > **Domain**: `allow.user.view.all.domain.accounts` -> true,
`ldap.bind.password` -> 123, `ldap.bind.principal` -> 2023
> > 2. Check the values in the database.
> >
> > #### Results without the patch:
> > All values are encrypted:
> > ```
> > MariaDB [cloud]> select * from domain_details ;
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > | id | domain_id | name | value
|
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > | 1 | 2 | allow.user.view.all.domain.accounts |
RzlxAFEzhBkWL4vnrFY33RHVTAv4KtYqZFHeMHvCvZg= |
> > | 2 | 2 | ldap.bind.password |
mn9/GD6y+OoT2a47FOR3KacqXRFVMO9em1O5w178lFtw |
> > | 4 | 2 | ldap.bind.principal |
WyJ+j5C3l66RYtGlwU9rBxh4OzEBSgCEYQpP9ZZ2FM8= |
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > 3 rows in set (0.001 sec)
> >
> > MariaDB [cloud]> select * from account_details ;
> >
+----+------------+------------------------------------+----------------------------------------------+
> > | id | account_id | name | value
|
> >
+----+------------+------------------------------------+----------------------------------------------+
> > | 1 | 4 | allow.duplicate.networkname |
VE+8/lkl19t0CDg8g1nxy/7B55UmeVWwiOMyWCWRRVRL |
> > | 2 | 4 | allow.public.user.templates |
rninQyLFP0xnz0pcn4queDqgT4nmUDzlJHQ1TkeYARiP |
> > | 3 | 4 | account.allow.expose.host.hostname |
LjZE+XKIs/b98M16CstjlGCvD8BRMmASUNo8kdFEb3Q= |
> >
+----+------------+------------------------------------+----------------------------------------------+
> > 3 rows in set (0.001 sec)
> > ```
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > #### Results with the patch:
> > Secure values are encrypted:
> > ```
> > MariaDB [cloud]> select * from domain_details ;
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > | id | domain_id | name | value
|
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > | 1 | 1 | allow.user.view.all.domain.accounts | true
|
> > | 2 | 1 | ldap.bind.password |
3LuBM0yptJImv8cWrh9UeiwbKX/WFespFofaRClZwg== |
> > | 3 | 1 | ldap.bind.principal | 2023
|
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > 3 rows in set (0.001 sec)
> >
> > MariaDB [cloud]> select * from domain_details ;
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > | id | domain_id | name | value
|
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > | 1 | 1 | allow.user.view.all.domain.accounts | true
|
> > | 2 | 1 | ldap.bind.password |
3LuBM0yptJImv8cWrh9UeiwbKX/WFespFofaRClZwg== |
> > | 3 | 1 | ldap.bind.principal | 2023
|
> >
+----+-----------+-------------------------------------+----------------------------------------------+
> > 3 rows in set (0.001 sec)
> > ```
>
> cool, thanks @soreana can you test the database migration as well ? please
refer to
https://cwiki.apache.org/confluence/display/CLOUDSTACK/New+database+encryption+cipher+-+AeadBase64Encryptor#NewdatabaseencryptioncipherAeadBase64Encryptor-5.cloudstack-migrate-databaseschanges
Your welcome @weizhouapache
I tried to test database migration by running the following command, it
failed. I should say that I'm new to this database migration script, let me
know it I missed anything. I've attached the
[cloudstack-migrate-databases.log](https://github.com/apache/cloudstack/files/12440232/cloudstack-migrate-databases.log)
file as well.
```
root@mgt01:/etc/cloudstack/management# cloudstack-migrate-databases -m
password -d password -n cloudstack -e cloudstack -v V2
Started database migration at Fri Aug 25 13:58:31 UTC 2023
Parsing db.properties file
DB Secret key provided matched the key in db.properties
INFO: Migrate properties with DB encryptor version: V2
Migrating db.properties..
Migrating db.properties Done.
Migrating server.properties..
Skipping server.properties as password.encryption.type is null
Begin Data migration
Initialised Encryptors
WARN [c.c.u.c.EncryptionSecretKeyChecker] (main:null) (logid:) Encryption
already enabled, is check() called twice?
INFO [c.c.u.d.T.Transaction] (main:null) (logid:) Is Data Base High
Availiability enabled? Ans : false
Begin migrate config values
End migrate config values
Begin migrate host details
End migrate host details
Beginning migration of account_details encrypted values
Error during data migration
Data Migration failed. Reverting db.properties
Got error during database migration at Fri Aug 25 13:58:33 UTC 2023
Failed to migrate databases. You may find more logs in
/tmp/cloudstack-migrate-databases.log
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
