Rotating passwords


#1

Hi,

What is the best practice regarding rotating a bucket’s passwords both in the bucket and in the code ?

Thanks,


#2

@cihangirb, are there any guidelines ?


#3

Note that existing client connections will /not/ be dropped when the password is changed on the cluster. Therefore you can:

  1. Update the application with the “new” password, and code it to try both the old and new.
  2. Change the bucket password; existing client connections will remain but new ones will need to produce the new password (which they can do if the old password first fails).
  3. Once all clients have been recycled. the code for checking the old password can be removed.

#4

Assuming that connections are established only when app starts, shouldn’t this also work without changing the code ?

  1. Update password in dev app
  2. Change bucket password. Currently running app will continue to run
  3. Publish and restart app (app will re-connect with new passwords)

#5

Yes, that should work assuming your app never has to reconnect (e.g. due to network issues) once it has started.