summaryrefslogtreecommitdiff
path: root/doc/raketasks/user_management.md
diff options
context:
space:
mode:
authorSean McGivern <sean@gitlab.com>2016-07-15 13:19:29 +0100
committerSean McGivern <sean@gitlab.com>2016-08-03 15:46:37 +0100
commit405379bbfcb7821b3dae77e5254362f2d696bb7d (patch)
treeca84c70e92cb701694ac91d62879aa6d56490da7 /doc/raketasks/user_management.md
parent1ee1113696702919d2593839d09042c7e6391b89 (diff)
downloadgitlab-ce-405379bbfcb7821b3dae77e5254362f2d696bb7d.tar.gz
Store OTP secret key in secrets.yml
.secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't.
Diffstat (limited to 'doc/raketasks/user_management.md')
-rw-r--r--doc/raketasks/user_management.md4
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/raketasks/user_management.md b/doc/raketasks/user_management.md
index 629d38efc53..8a5e2d6e16b 100644
--- a/doc/raketasks/user_management.md
+++ b/doc/raketasks/user_management.md
@@ -60,8 +60,8 @@ block_auto_created_users: false
## Disable Two-factor Authentication (2FA) for all users
This task will disable 2FA for all users that have it enabled. This can be
-useful if GitLab's `.secret` file has been lost and users are unable to login,
-for example.
+useful if GitLab's `config/secrets.yml` file has been lost and users are unable
+to login, for example.
```bash
# omnibus-gitlab