Repurpose the "cas" database for webauthn tokens
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	MoritzMuehlenhoff
	Jun 24 2022, 11:09 AM

Description

Our CAS installation keeps most it's state in memcached, but the two-factor-auth tokens are stored in mariadb as they are more persistent and we need them redundantly across the active-active IDP setup. The database is called "cas" and there's a "cas" user to access it.

So far we supported U2F devices as a second factor, but Chrome removed the API for it and only supports the newer webauthn API. Support for webauthn in CAS is currently being worked on and we'd like to again store the tokens in mariadb.

We have disabled U2F support in CAS and the old tokens stored in U2F format are no longer needed/relevant, as such the simplest process would be just repurpose it for webauthn tokens. The resource usage would be as minimal as the existing database used for U2F.

If that works for DBAs, could you please empty the existing "cas" database?

Related Objects
Search...

Status	Assigned	Task
Open	None	T305518 Upgrade IDPs to CAS 6.6/Bullseye and enable webauthn
Open	None	T311236 Enable webauthn in CAS to replace U2F
Resolved	• Marostegui	T311300 Repurpose the "cas" database for webauthn tokens

Event Timeline

MoritzMuehlenhoff created this task.Jun 24 2022, 11:09 AM

@MoritzMuehlenhoff so you want me to drop or truncate this table?:

root@db1164.eqiad.wmnet[cas]> show tables;
+------------------------+
| Tables_in_cas          |
+------------------------+
| U2FDevice_Registration |
+------------------------+
1 row in set (0.001 sec)

root@db1164.eqiad.wmnet[cas]> select count(*) from U2FDevice_Registration;
+----------+
| count(*) |
+----------+
|       26 |
+----------+
1 row in set (0.001 sec)

We also have cas_staging:

root@db1164.eqiad.wmnet[cas_staging]> show tables;
+------------------------+
| Tables_in_cas_staging  |
+------------------------+
| U2FDevice_Registration |
+------------------------+
1 row in set (0.000 sec)

root@db1164.eqiad.wmnet[cas_staging]> select count(*) from U2FDevice_Registration;
+----------+
| count(*) |
+----------+
|        1 |
+----------+
1 row in set (0.001 sec)

I guess the same should be applied to that staging one too?

Do you need a last backup from those tables just in case?

In T311300#8025518, @Marostegui wrote:
@MoritzMuehlenhoff so you want me to drop or truncate this table?:

Please drop the entire table, the webauthn JPA code will create different tables instead.

We also have cas_staging:

(..)

I guess the same should be applied to that staging one too?

Good catch! I had completely forgotten about that one, please also drop the table there.

Do you need a last backup from those tables just in case?

I can't really imagine any scenario where we might need these again, but if it's just the matter of quickly running a command, then let's maybe still do it anyway.

I have taken a quick backup from those tables:

root@cumin1001:/home/marostegui/T311300# ls -lh
total 56K
-rw-r--r-- 1 root root 4.1K Jun 24 12:34 cas_staging_U2FDevice_Registration.sql
-rw-r--r-- 1 root root  48K Jun 24 12:33 cas_U2FDevice_Registration.sql

They are also on our weekly backups anyways that were taken this week.
And now I have dropped both of them:

root@db1164.eqiad.wmnet[cas]> drop table if exists U2FDevice_Registration;
Query OK, 0 rows affected (0.003 sec)

root@db1164.eqiad.wmnet[cas]> use cas_staging
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
root@db1164.eqiad.wmnet[cas_staging]> drop table if exists U2FDevice_Registration;
Query OK, 0 rows affected (0.003 sec)

root@db1164.eqiad.wmnet[cas_staging]>

Thanks!

Maintenance_bot moved this task from In progress to Done on the DBA board.Jun 24 2022, 1:29 PM

Repurpose the "cas" database for webauthn tokensClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Repurpose the "cas" database for webauthn tokens
Closed, ResolvedPublic
Actions

Related Objects
Search...