#35400: SECRET_KEY_FALLBACKS documentation can be misleading when running a
multiple instances of an application
-------------------------------------+-------------------------------------
Reporter: Ryan | Owner: nobody
Siemens |
Type: | Status: new
Cleanup/optimization |
Component: | Version: 5.0
Documentation | Keywords:
Severity: Normal | SECRET_KEY_FALLBACKS
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi, I was looking at the documentation for
[https://docs.djangoproject.com/en/dev/ref/settings/#secret-key-fallbacks
SECRET_KEY_FALLBACKS] and I think the documentations advice for how to
rotate keys is a little to simplistic and will lead to unexpected issues
with any modestly larger application that runs on multiple boxes (or
pods).
"In order to rotate your secret keys, set a new SECRET_KEY and move the
previous value to the beginning of SECRET_KEY_FALLBACKS."
Just following this advice can lead to a scenario where your request is
routed to a rotated box that has the new `SECRET_KEY` set, signs the
session successfully and returns. A subsequent request could route to an
un-rotated box which hasn't received the `SECRET_KEY` update and fails to
validate the session. This diagram aims to illustrate the problem
[[Image(https://cdn.zappy.app/f223668c63259e3316cfe0afb6bc97c3.png)]].
I believe the way to handle this situation is to have a two phase rollout
where:
- Phase 1: **don't** update `SECRET_KEY`, but update
`SECRET_KEY_FALLBACKS` to `['old_key', 'new_key']` and let all boxes sync.
Everything is still being signed/validated with the current, unchanged
`SECRET_KEY`.
- Phase 2: update `SECRET_KEY='new_key'` and
`SECRET_KEY_FALLBACKS=['old_key']`. Now boxes that aren't rotated can
validate sessions signed from boxes with the new_key even though they will
still sign with the old_key.
Things can then proceed as normal where the `old_key` is dropped from
`SECRET_KEY_FALLBACKS` after some time. Visually it looks like this
[[Image(https://cdn.zappy.app/0edeb791cdc40d9d8e3b7f3918b1b11b.png)]]
My request is to update the documentation to ''at least'' indicate that
the advice doesn't hold in scenarios where you are running the application
across a fleet of boxes.
--
Ticket URL: <https://code.djangoproject.com/ticket/35400>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018f0c03522d-f4772a07-22af-4ce3-9b3f-364d39d7b0c0-000000%40eu-central-1.amazonses.com.
