19139: Fixes bug by always setting owner_uuid to the system root user's UUID.

[arvados.git] / services / api / config / secrets.yml

diff --git a/services/api/config/secrets.yml b/services/api/config/secrets.yml
index 4ebe02ae96d85714275fa7b83f9bf16c29214bec..293b93bcdbb82bb58a9a07b326edc64a32295416 100644 (file)
--- a/services/api/config/secrets.yml
+++ b/services/api/config/secrets.yml
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 # Be sure to restart your server when you modify this file.
 
 # Your secret key is used for verifying the integrity of signed cookies.
@@ -7,16 +11,21 @@
 # no regular words or you'll be exposed to dictionary attacks.
 # You can use `rails secret` to generate a secure secret key.
 
-# Make sure the secrets in this file are kept private
-# if you're sharing your code publicly.
+# NOTE that these get overriden by Arvados' own configuration system.
+
+# shared:
+#   api_key: a1B2c3D4e5F6
+
+# Environmental secrets are only available for that specific environment.
 
-development:
-  secret_key_base: ef8dfe92893202f906d198094f428aaefa75749338e306ed2874938598cad7153ef0dd3cb8036c618cc7c27bb0c6c559728e8cc224da7cdfa2ad1d02874643b0
+# development:
+#   secret_key_base: <%= rand(1<<255).to_s(36) %>
 
-test:
-  secret_key_base: 0b5454fe8163063950a7124348e2bc780fabbb022fa15f8a074c2fbcfce8eca480ed46b549b87738904f2bae6617ad949c3c3579e272d486c25aaa0ead563355
+# test:
+#   secret_key_base: <%= rand(1<<255).to_s(36) %>
 
-# Do not keep production secrets in the repository,
-# instead read values from the environment.
+# In case this doesn't get overriden for some reason, assign a random key
+# to gracefully degrade by rejecting cookies instead of by opening a
+# vulnerability.
 production:
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
+  secret_key_base: <%= rand(1<<255).to_s(36) %>