Hi Everyone. That reminds me of an old idea that I had several years ago (not sure if I had commented or not here), nevertheless, my idea was based on the credentials rotations.
The goal is to avoid manually updating configurations across many clients. Instead, we can enable the Bacula Director to push new passwords to connected clients securely. Here's a high level concept for a smooth credential rotation: 1. Dual-Password Configuration: Both the Director and the FD are configured to accept two passwords: the Password (current) and an OldPassword. 2 - Connection & Notification: An FD connects to the Director using its current Password. During the session, the Director can signal that a new password is available. 3 - Secure Update: The FD, over the already-authenticated connection, requests the new password. The Director provides it, and the FD updates its configuration (e.g., writes it to the file: or dynfile: referenced in its config). 4 - Graceful Transition: For a defined period, both the old and new passwords are valid. This prevents backup failures if a client restarts before receiving the update. 5 - Cleanup: After a successful transition and a configured timeout, the OldPassword is automatically retired from both sides. Key Advantages: ============= * Zero-Touch Rotation: Password changes can be initiated once from the Director and propagate automatically to all active clients. * No Backup Disruption: The dual-password window ensures operations aren't interrupted during the rollout. * Handles Scale: This works for 10 or 1,000 FDs without additional manual effort. * Complements External Secrets: This rotation mechanism would work seamlessly with Clinton's proposed file:, dynfile:, or credstore: directives. The FD would simply update the secret in the external store or file. Logically, not sure how technically complicated that can be !!! but in theory, the idea should work well !! :-D Salu2 -- -- Victor Hugo dos Santos http://www.vhsantos.net Linux Counter #224399 _______________________________________________ Bacula-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-devel
