Enforce unique keys for whisk.system and guest namespaces (#419) Fixes #418 We require unique auth values for each subject. Check that the whisk.auth.guest and whisk.auth.system keys are unique during couchdb initialization and fail with a clear error message instead of allowing an unusable system to be deployed. Also add an explicit `rm` of the default keys right after the git clone of the openwhisk repository to make sure they can't be used by mistake in some subsequent script operation.

commit: 462cda8811ad093845977a672b8b460dd0630fce [log] [tgz]
author: David Grove <dgrove-oss@users.noreply.github.com> Wed Jan 23 15:32:32 2019 -0500
committer: Michele Sciabarra <30654959+sciabarracom@users.noreply.github.com> Wed Jan 23 21:32:32 2019 +0100
tree: 545ab20fd5a2e818fded8688ba62624fb724f3d0
parent: 28023eea7f7a981dc46858e3cf8ebdacf9cc0d7c [diff]
diff --git a/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh b/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh
index b42a1e9..d6171e5 100755
--- a/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh
+++ b/helm/openwhisk/configMapFiles/initCouchDB/initdb.sh

@@ -7,11 +7,19 @@
     git checkout $OW_GIT_TAG_OPENWHISK
 popd
 
-# Copy the secrets whisk.auth.guest and whisk.auth.system into the cloned tree
-# overwriting the default values we cloned from git
+# Install the secrets whisk.auth.guest and whisk.auth.system into the cloned tree
+# after removing the defaults inherited from the checkout of openwhisk
+rm -f /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system
 cp -f /etc/whisk-auth/guest /openwhisk/ansible/files/auth.guest
 cp -f /etc/whisk-auth/system /openwhisk/ansible/files/auth.whisk.system
 
+# Sanity check: all subjects must have unique keys
+if cmp -s /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system; then
+    echo "FATAL ERROR: unable to initialize the OpenWhisk subjects database."
+    echo "Cannot use identical keys for whisk.auth.system and whisk.auth.guest."
+    exit 1
+fi
+
 # generate db_local.ini so the ansible jobs know how to access the database
 pushd /openwhisk/ansible
     ansible-playbook -i environments/local setup.yml

diff --git a/helm/openwhisk/configMapFiles/installPackages/myTask.sh b/helm/openwhisk/configMapFiles/installPackages/myTask.sh
index dcee18e..183b266 100644
--- a/helm/openwhisk/configMapFiles/installPackages/myTask.sh
+++ b/helm/openwhisk/configMapFiles/installPackages/myTask.sh

@@ -13,6 +13,7 @@
 git clone https://github.com/apache/incubator-openwhisk openwhisk
 pushd openwhisk
     git checkout $OW_GIT_TAG_OPENWHISK
+    rm -f /openwhisk/ansible/files/auth.guest /openwhisk/ansible/files/auth.whisk.system
 popd
 
 # Setup env for installRouteMgmt.sh
commit	462cda8811ad093845977a672b8b460dd0630fce	[log] [tgz]
author	David Grove <dgrove-oss@users.noreply.github.com>	Wed Jan 23 15:32:32 2019 -0500
committer	Michele Sciabarra <30654959+sciabarracom@users.noreply.github.com>	Wed Jan 23 21:32:32 2019 +0100
tree	545ab20fd5a2e818fded8688ba62624fb724f3d0
parent	28023eea7f7a981dc46858e3cf8ebdacf9cc0d7c [diff]