Open SzymonSel opened 1 year ago
We need a secrets module to deploy any sort of secrets in more confidential way, then deployments & recipes will take care about the rest
@deanmarcussen any plan to complete the Secrets module that you started with? Or shall some one continues the work that you already did?
As I undestand, we need this module, to recreate user accounts with working passwords. Am I right? We could create easily export users now, but users would have to reset their passwords in other to regain access to their account on the new site. (the importing one)
Yes we could, but it would be nice to export/import users with their credentials
Clear. Thanks.
@deanmarcussen twice in a day ... Do you remember where you code is at if there is a way that someone takes over?
FYI @sebastienros #7891
Yes we could, but it would be nice to export/import users with their credentials
To achieve this now, what would one have to do? Where are the keys stored? How can they be copied to make the credentials work?
That's what Secrets Module is all about
Do we actually need the secrets module to import/export users? Is there any state in the web app that makes changes how these hashes are stored in the database? I don't think so, so sending them should be fine. There could be an option to include the hashes, this way one could already export the list of user accounts (requires a custom permission though). And importing a user is "security sensitive", i.e. you could reset someone's password with this permission. So not sure if it's a good idea without encryption. Or at least with the same level of permissions as being able to set the encryption keys.
Do we actually need the secrets module to import/export users?
Yes & No it depends, it's only need when we want to export content with sensitive data
Is there any state in the web app that makes changes how these hashes are stored in the database? I don't think so, so sending them should be fine.
I think it's fine too send hashes too, but we need to think about more generic way for any sensitive data such as SMTP credentials, database connections .. etc
We might need to revise the secrets modules and make it done if it's possible
but we need to think about more generic way for any sensitive data such as SMTP credentials
Read the title of this issue
I already did, but look to the issue description :)
I ended up here https://github.com/OrchardCMS/OrchardCore/pull/7891 looking for a way of export and importing users from one istance to another. Is this still planned as a deployment task? What is the state of it's developement? Any way I could contribute?
So, for this particular use case it's fine to export the users data
We checked the password hashing code and there is no secret there, so it's safe to create an export step for the user accounts.
Great! I’m on it!
@SzymonSel did you find a way to import users or is there any way to import users exported from Orchard CMS
I have, but I haven't yet implemented it.
Can help by sharing it
I've succesfully implemented a simple Users' Account Deployment step together with the importing step. There is yet no advanced validation or any permissions checking, but this could be implemented at a later time.
Should I place my implemetation in the OrchardCore.Users project for review?
Sure
One more thing what about the passwords, do you export them? coz we address this long time ago using secrets module
I'm exporting the PasswordHash
As expected, even though exporting such data is risky
/cc @sebastienros @Piedone
I'm working on the secrets module which will use a combination of symetric and assymetric encryption.
I see you are active to that PR which I planned to make some progress on it, so please assign the PR or the issue to you to avoid anyone else from duplicate the work
@SzymonSel I think it's safe to add the feature. Thanks a lot
I've also created a simple CustomUserSettings
Deployment implementation.
By the way, can some one grant me push permissions?
@SzymonSel For the first contributions, you are supposed to fork the project and make a pull request that will be reviewed.
We only grant write access to the main repo after multiple contributions to the project (PRs, meetings, demos, ...) and agreement from the core team of developers, even if we know you are an Orchard user for a long time ;-)
Sure thing! I'm being lazy and couldn't be bothered forking the repo :P
I ended up here #7891 looking for a way of export and importing users from one istance to another. Is this still planned as a deployment task? What is the state of it's developement? Any way I could contribute?