This page gives an overview of the Raven Password Management service, describing its current status, where and how it's developed and deployed, and who is responsible for maintaining it.
This services allows Raven account holders to manage their password. Changing of passwords can be performed via 'normal' login, self-service recovery or password reset tokens. These tokens may be issued by departmental or college administrators, or by University Information Services.
Self-service password recovery allows users to reset their password by configuring a recovery email address and/or mobile phone number and set up some security questions that will be used to prove their identity during password recovery.
Changed passwords are synchronised with a wide range of University systems, including Raven based websites, Exchange Online email, Hermes email and Desktop Services including the Managed Cluster Service (MCS).
A history of changes to passwords and recovery details is also visible to an authenticated user.
The Raven Password Management service is currently live.
The intention is to move this service from UIS infrastructure VMs to a Google Cloud deployment but no timeline for this is currently set.
Technical queries and support should be directed to the Service Desk and will be picked up by a member of the team working on the service. To ensure that you receive a response, always direct requests to firstname.lastname@example.org rather than reaching out to team members directly.
Issues discovered in the service or new feature requests should be opened as GitLab issues here.
The Password app is currently deployed to the following environments:
The Traffic Manager load-balances web traffic to the supporting VMs, making use of sticky sessions to ensure that the relevant in-memory password-change queue is displayed to the user.
The test VMs have their own fake local password clients that act as black holes for all password changes. Any actions that require a password to be quoted on a test VM (not including the initial Raven logon) should quote the fake password stored in 1password.
The source code for the Password Management Application is stored in this Gitlab repository
The following gives an overview of the technologies the Password app is built on.
The following gives an overview of how the Password app is deployed and maintained.
Taking a host out of service¶
Hosts can be taken out of service by creating a file
/maintenance_mode which causes the monitor script to return an http 500 response code, which in turn causes the Traffic Manager to direct traffic elsewhere.
Deploying a new release¶
Deployed by running the Grails application deployment ansible after ensuring that the
package_version group_var has been set to the correct version.
The Password app is monitored by the UIS infra-sas nagios service.
Sevices currently monitored:
- ping - standard nagios ping check.
- SSL - checks for a valid TLS certificate on port 8443.
- https_devgroup - checks for a 200 response from the /adm/status page on port 8443.
- disc-space - checks for at least 15% free disk space.
There is also a check for a vaild TLS certificate being served by the traffic manager for https://uis-tm.password.raven.cam.ac.uk
The Password app cannot be run locally, and therefore the test instance should be used to trial changes and fixes.
Other operational documentation¶
End-user documentation: https://help.uis.cam.ac.uk/service/accounts-passwords
Description of the password strength checker: https://wiki.cam.ac.uk/uis/UIS_Password_Strength_Checker
The self-service password recovery flow: https://gitlab.developers.cam.ac.uk/uis/devops/raven/passwords/passwords/-/blob/master/doc/password-recovery.pdf
Service Management and tech lead¶
The service owner for the Password app is Vijay Samtani
The service manager for the Password app is currently vacant
The tech lead for the Password app is Robin Goodall
The following engineers have operational experience with the Password app and are able to respond to support requests or incidents: