[Hawkular-dev] Getting rid of agent/server password in clear
Heiko W.Rupp
hrupp at redhat.com
Thu Aug 11 04:59:41 EDT 2016
Hey Mazz and Juca,
tl;dr: we need to get rid of clear text passwords in standalone.xml
for the Docker builds I can run (pseudocode):
docker run -e HAWKULAR_USER=jdoe -e HAWKULAR_PASSWORD=password
pilhuhn/hawkular-services
the startup in the image takes care that jdoe is added to the
users.properties file for JAAS
and the agent gets those env-variables as user/password and the agent
can talk to the
server (see also below).
== Agent side
I recall that in the agent installer you have added some way of
'obfuscating' the password.
I wonder if that exists / can be added to the agent proper so that the
password is not
in standalone.xml in clear and I can pass -e
HAWKULAR_PASS_HASH=dhfadfhsdfadsfads
instead of the password and the agent then sends base64(hash(user +
password-hash))
to the server, which does the same with its local data and compares if
the base64
matches.
Remember that docker inspect <container id> lets you see env-variables
"Env": [
"HAWKULAR_BACKEND=remote",
"HAWKULAR_PASSWORD=password",
== Server side
Passing in the password like above to set up the server is equally bad
(perhaps a tiny bit less, as the
server is usually inside a more secured area than the agents). Here I
can in the startup script
easily replace the call to add-user.sh with some "add user + password if
not exists" logic and
the env-variable gets passed in what add-user.sh would compute and add.
More information about the hawkular-dev
mailing list