[Hawkular-dev] Getting rid of agent/server password in clear
Juraci Paixão Kröhling
jpkroehling at redhat.com
Thu Aug 11 05:18:20 EDT 2016
On 11.08.2016 10:59, Heiko W.Rupp wrote:
> Hey Mazz and Juca,
>
> tl;dr: we need to get rid of clear text passwords in standalone.xml
As other secrets on the standalone.xml (like data source passwords) ,
the password should be stored in the vault.
https://developer.jboss.org/wiki/MaskingPasswordsForWildFlyUsingNon-interactiveVaultTool
> for the Docker builds I can run (pseudocode):
>
> docker run -e HAWKULAR_USER=jdoe -e HAWKULAR_PASSWORD=password
> pilhuhn/hawkular-services
>
> the startup in the image takes care that jdoe is added to the
> users.properties file for JAAS
> and the agent gets those env-variables as user/password and the agent
> can talk to the
> server (see also below).
This is not for a production setup, right? On a production setup, the
user storage should not be user.properties and alike. Those will (or
even, should) come from actual external sources, like LDAP, databases, ...
> == Agent side
>
> I recall that in the agent installer you have added some way of
> 'obfuscating' the password.
Vaults should be used for this. The good thing is that, AFAIK, no change
on the agent is required. The subsystem sees the actual clear text value
from the vault.
> == Server side
>
> Passing in the password like above to set up the server is equally bad
> (perhaps a tiny bit less, as the
> server is usually inside a more secured area than the agents).
I believe our docker images should be meant to be extended, so that
users can configure their user storage. The user.properties should be
seen as only a "placeholder"
- Juca.
More information about the hawkular-dev
mailing list