Page MenuHomePhabricator

Add `bin/almanac register` to associate a host with an Almanac device and trust it

Authored by epriestley on Jan 2 2015, 8:20 PM.



Ref T2783. This is basically a more refined version of D10400, which churned a bit on things like SSH key storage, the actual way the signing protocol shook out, etc.

  • When Phabricator tries to make an intra-cluster service call as the omnipotent user, sign it with the host's device key.
  • Add bin/almanac register to say "this host is X device, identified by private key Y". This stores the keypair locally, adds the public key to Almanac, and trusts it.

Net effect is that once a host has been registered, the daemons can make calls to other nodes as the omnipotent user. This is primarily necessary so they can access repository API methods on remote hosts.

Test Plan
  • Ran bin/almanac register with various valid and invalid inputs.
  • Verified keys get generated/added/stored properly.
  • Made a device-signed cluster Conduit call.
  • Made a normal old user-signed cluster Conduit call.

Diff Detail

rP Phabricator
Lint Not Applicable
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Add `bin/almanac register` to associate a host with an Almanac device and trust it.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
btrahan edited edge metadata.
This revision is now accepted and ready to land.Jan 2 2015, 10:14 PM
This revision was automatically updated to reflect the committed changes.