[FOLIO-759] Update how db credentials are passed to modules in CI builds Created: 03/Aug/17 Updated: 15/Jan/19 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P3 |
| Reporter: | Wayne Schneider | Assignee: | Wayne Schneider |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | ci, for-next-sprint, sprint20 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | 15 minutes | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | |||||||||
| Development Team: | Core: Platform | ||||||||
| Description |
|
Up to now it's been convenient to use environment variables, but really, db credentials should not be exposed by the /_/discovery/modules endpoint. |
| Comments |
| Comment by Wayne Schneider [ 03/Aug/17 ] |
|
We can use this issue to work out a rough model for more secure production deployment. |
| Comment by Jakub Skoczen [ 09/Aug/17 ] |
|
Wayne Schneider what's this about? |
| Comment by Jakub Skoczen [ 09/Aug/17 ] |
|
Note: how does it relate to the refactoring Okapi services as Internal Modules? |
| Comment by Wayne Schneider [ 15/Aug/17 ] |
|
Jakub Skoczen – see for example http://folio-testing-backend01.aws.indexdata.com:9130/_/discovery/modules – we are using environment variables to pass the database credentials to the RMB-based modules, and those credentials are exposed on the Okapi discovery endpoint. This is not how we would want do it in production (though it was very convenient to get things up and running). We had a discussion on Slack about it and agreed to open up an issue. One way to address the issue is to put the credentials in a configuration file, possibly secured as documented here: https://github.com/folio-org/raml-module-builder#securing-db-configuration-file. This may require building a new Docker image for deployment based on the Jenkins artifact with the config file added and the entry point updated, or some other method of invoking the Docker image. |
| Comment by Wayne Schneider [ 16/Mar/18 ] |
|
Updated issue name and description to make it more precise. |