Add ability to prefix session cookies
What does this MR do?
As part of the Cells project, we need to have the option to prefix session cookies values by a prefix, to enable us to generate cookies with a prefixed value for each cell. See https://docs.gitlab.com/ee/architecture/blueprints/cells/http_routing_service.html#routing-rules for more information.
As part of this MR we added the ability to configure GitLab app itself to change the prefix. In this MR, we are adding this option to OmniBus.
Related issues
Addressing: gitlab#439945 (closed)
Validating this MR
Prerequisites
You need a host that is running Docker. Preferably a VM on GCP. To install Docker, see: https://docs.docker.com/engine/install/
Steps
This docker image is built from this MR branch.
docker pull registry.gitlab.com/gitlab-org/omnibus-gitlab/gitlab-ee:439945-adding-config-for-session-cookies-prefix
docker tag registry.gitlab.com/gitlab-org/omnibus-gitlab/gitlab-ee:439945-adding-config-for-session-cookies-prefix omnibus
docker run --rm -d --name omnibus omnibus
docker exec -ti omnibus bash
A. Checking the default option (steps to run inside the container)
gitlab-rails console
-
puts Rails.configuration.session_options
. It should print the following
{:redis_server=>
{:path=>"/var/opt/gitlab/redis/redis.socket",
:command_builder=>Gitlab::Redis::CommandBuilder,
:custom=>{:instrumentation_class=>"Sessions"},
:namespace=>"session:gitlab"},
:key=>"_gitlab_session",
:secure=>false,
:httponly=>true,
:expires_in=>604800,
:path=>"/",
:session_cookie_token_prefix=>""}
B. Changing the prefix
- Edit
/etc/gitlab/gitlab.rb
inside the container (usingvi
), and make sure you have this linegitlab_rails['session_store_session_cookie_token_prefix'] = 'custom_prefix_'
. You will see this config there but commented out for'session_store_session_cookie_token_prefix
. Make sure you uncomment the line when you edit it. gitlab-ctl reconfigure
- Repeat the steps in (A), but this time you should get something like
{:redis_server=>
{:path=>"/var/opt/gitlab/redis/redis.socket",
:command_builder=>Gitlab::Redis::CommandBuilder,
:custom=>{:instrumentation_class=>"Sessions"},
:namespace=>"session:gitlab"},
:key=>"_gitlab_session",
:secure=>false,
:httponly=>true,
:expires_in=>604800,
:path=>"/",
:session_cookie_token_prefix=>"custom_prefix_"}
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
MR title and description are up to date, accurate, and descriptive. -
MR targeting the appropriate branch. -
Latest Merge Result pipeline is green. -
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow.
For GitLab team members
If you don't have access to this, the reviewer should trigger these jobs for you during the review process.
-
The manual Trigger:ee-package
jobs have a green pipeline running against latest commit. -
If config/software
orconfig/patches
directories are changed, make sure thebuild-package-on-all-os
job within theTrigger:ee-package
downstream pipeline succeeded. -
If you are changing anything SSL related, then the Trigger:package:fips
manual job within theTrigger:ee-package
downstream pipeline must succeed. -
If CI configuration is changed, the branch must be pushed to dev.gitlab.org
to confirm regular branch builds aren't broken.
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes. -
Documentation created/updated. -
Tests added. -
Integration tests added to GitLab QA. -
Equivalent MR/issue for the GitLab Chart opened. -
Validate potential values for new configuration settings. Formats such as integer 10
, duration10s
, URIscheme://user:passwd@host:port
may require quotation or other special handling when rendered in a template and written to a configuration file.