User story #860
closedManage the passwords during the installation
Description
- WebDAV : rudder/rudder (defined in Apache config but sent out to nodes via generated promises)
- PostgreSQL user
- OpenLDAP manager
- Maybe others, this is not exhaustive !
We should modify our postint scripts or anything to generate automatically random passwords (or ask the user for them) and propagate these passwords to all the concerned config files.
An option for the WebDAV password would be to put it in the rudder-web config file, and have Rudder read it in, and make it available to Techniques as a special variable, so that the Inventory Technique could use it and send it out to nodes.
Updated by Jonathan CLARKE almost 14 years ago
- Target version changed from 7 to 9
Updated by Jonathan CLARKE over 13 years ago
- Target version changed from 9 to 10
Updated by Jonathan CLARKE over 13 years ago
- Target version changed from 10 to 19
Updated by Jonathan CLARKE over 13 years ago
- Target version changed from 19 to 21
Updated by Jonathan CLARKE over 13 years ago
- Target version changed from 21 to 23
Updated by Jonathan CLARKE about 13 years ago
- Target version changed from 23 to 18
Updated by Matthieu CERDA about 13 years ago
- Subject changed from Gérer les mots de passe à l'installation to Manage the passwords during the installation
- Description updated (diff)
Updated by François ARMAND about 13 years ago
- Target version changed from 18 to 24
Updated by Jonathan CLARKE over 12 years ago
- Description updated (diff)
- Status changed from New to 2
- Assignee set to Matthieu CERDA
- Target version changed from 24 to 46
Updated by Matthieu CERDA over 12 years ago
I found a link that gives some tips to generate a random password without installing a new dependency:
I will use this to generate a mediumly solid password:
dd if=/dev/urandom count=128 bs=1 2>&1 | md5sum | cut -b-12
Updated by Matthieu CERDA over 12 years ago
Or even better: head -c 128 /dev/urandom | md5sum | cut -b-12
Updated by Matthieu CERDA over 12 years ago
- Status changed from 2 to Discussion
- Assignee changed from Matthieu CERDA to Nicolas CHARLES
- % Done changed from 0 to 80
As of now, I have a working shell script automating the password change. However, I got two questions:
- Do we want to make it usable with custom passwords ? (for now the script auto-generates passwords)
- Why does Rudder refuses to launch after this script has been run, throwing LDAP Invalid Credentials at my sorry face whereas using standard ldap utilities I can see that the password is perfectly fine in both the rudder-web.properties and the slapd.conf ? Is there a hardcoded password somewhere in the WebApp that I could not see ?
Testing procedure:
- PSQL:
psql -U rudder -d rudder -W -h localhost
- LDAP:
/opt/rudder/bin/ldapwhoami -h localhost -D "cn=Manager,cn=rudder-configuration" -x -W
Updated by Matthieu CERDA over 12 years ago
- Assignee changed from Nicolas CHARLES to Jonathan CLARKE
Never mind, I did not take the inventory-web into account. It was the inventory webapp that was complaining !
Forget the second question !
Updated by Jonathan CLARKE over 12 years ago
- Due date set to 2012-06-18
- Assignee changed from Jonathan CLARKE to Matthieu CERDA
- Implement logic in CFEngine to change each password in all appropriate places. This should be integrated in the distributePolicy Technique.
- Add a random password generation to the post-install script of appropriate packages.
To ensure we have a single definition point for all passwords, we will create a file /opt/rudder/etc/rudder-passwords.conf, with contents like this:
RUDDER_WEBDAV_USERNAME=rudder RUDDER_WEBDAV_PASSWORD=secret RUDDER_PSQL_USER=rudder RUDDER_PSQL_PASSWORD=secret2 RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc... RUDDER_OPENLDAP_BIND_PASSWORD=secret3
This file should be created by packaging, with particular caution to ensure that it is always mode 600. A check to this effect should also be added to the distributePolicy Technique.
The distributePolicy Technique can then read passwords from this file, and update them in the appropriate configuration files, restarting or reloading services when they are changed and if necessary.
Last but not least, there is one case that is trickier than the others: the WebDAV password will need to be read in by Rudder-webapp, from the rudder-web.properties file (this is important, it mustn't be read in directly from the rudder-passwords.conf files) and exported as a "special variable" for the distributePolicy Technique (like CMDBENDPOINT and CLIENTSFOLDERS). You'll need to ask a Rudder developer, probably Jean, to help you with this.
Updated by Jonathan CLARKE over 12 years ago
I noticed this commit, https://github.com/Normation/rudder-techniques/commit/581fb61d56e544bae540d348b5ed20ed265b7ac8, although it doesn't seem to have been correctly linked to this ticket.
I've added some comments in GitHub, please advise.
Updated by Jonathan CLARKE over 12 years ago
Another comment: please use "=" as the key/value separator in /opt/rudder/etc/rudder-passwords.conf as specified in this ticket (see comment #15). Using ":" is very unusual, and confusing, to be avoided.
Updated by Matthieu CERDA over 12 years ago
- Status changed from Discussion to In progress
Well, I am sorry but using "=" is kind of difficult for one simple reason: "RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc..."
The equal sign is used both as a separator for the key and value and for the cn definition, which justs messes up the variable definition. But I am open to any other separator that might be used in the password file of course.
I'll look at the comments.
Updated by Jonathan CLARKE over 12 years ago
Matthieu CERDA wrote:
Well, I am sorry but using "=" is kind of difficult for one simple reason: "RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc..."
The equal sign is used both as a separator for the key and value and for the cn definition, which justs messes up the variable definition. But I am open to any other separator that might be used in the password file of course.
Right, I'm sure there's a reason, but if you encounter problems with the specs that doesn't mean they should be ignored! You must explain any such changes in tickets, simply changing specs silently is not something you can do.
I want our file to be in a standard, common file format (principle of least astonishment), so I'd rather see one of:- One or several spaces or tabs, ie : "key value" (as in slapd.conf)
- " = " as a separator (an equals sign surrounded by spaces)
Updated by Matthieu CERDA over 12 years ago
- % Done changed from 80 to 90
The Technique is nearly ready. There are just some more quirks to be addressed with the management of the postgresql password and I still have to use the code just commited by NCH to get the WebDAV password, but else we are good !
Updated by Jonathan CLARKE over 12 years ago
- Target version changed from 46 to 47
Updated by Matthieu CERDA over 12 years ago
- Status changed from In progress to Pending technical review
- % Done changed from 90 to 100
This task is FINALLY over ! yay !
Updated by Nicolas PERRON over 12 years ago
Matthieu, please check that postgresql password is really changed in /etc/rsyslog.d/rudder.conf
Updated by Matthieu CERDA over 12 years ago
- Status changed from Pending technical review to Discussion
- Assignee changed from Matthieu CERDA to Nicolas CHARLES
Nicolas, I do not agree with your commit commit:b16b897251fa8eab53148c48e1bcb016cfdc6e27 . You are using the internal endpoint URL to send a motd on ( thus creating a lot of useless error messages in the logs as the system motd is obviously and invalid inventory) and not the external URL ( Like http://localhost/inventories/ or http://<machine host name>/inventories/ ).
This is blocking me for the resolution of #2629, may we revert this ASAP ?
Updated by Jonathan CLARKE over 12 years ago
Matthieu CERDA wrote:
Nicolas, I do not agree with your commit commit:b16b897251fa8eab53148c48e1bcb016cfdc6e27 . You are using the internal endpoint URL to send a motd on ( thus creating a lot of useless error messages in the logs as the system motd is obviously and invalid inventory) and not the external URL ( Like http://localhost/inventories/ or http://<machine host name>/inventories/ ).
This is blocking me for the resolution of #2629, may we revert this ASAP ?
Agreed. Please revert.
Updated by Matthieu CERDA over 12 years ago
- Status changed from Discussion to Pending technical review
- Assignee changed from Nicolas CHARLES to Matthieu CERDA
It is done! Thank you guys for being this fast to respond :D
Updated by Jonathan CLARKE over 12 years ago
- Target version changed from 47 to 50
Updated by Jonathan CLARKE over 12 years ago
- Target version changed from 50 to 2.4.0~beta3
Updated by Jonathan CLARKE over 12 years ago
- Status changed from Pending technical review to Discussion
Matthieu,
This last commit is really not DRY, you can't repeat the huge comment like that in two different files. A DRY approach would be to define the comment in the file installed by the package, then edit it using sed in rudder-init.sh.
Updated by Matthieu CERDA over 12 years ago
- Status changed from Discussion to Pending technical review
Applied in changeset commit:0f2b65fe23ada13e8b0cf975c05dcbf2697b9d6e.
Updated by Jonathan CLARKE over 12 years ago
- Status changed from Pending technical review to In progress
- % Done changed from 100 to 90
Thank you Matthieu.
Now please add documentation about this in rudder-doc!
Updated by Matthieu CERDA over 12 years ago
- Status changed from In progress to Pending technical review
- % Done changed from 90 to 100
Applied in changeset commit:4408586c94984665ac81a6491b071deb8ddd5ef6.
Updated by Matthieu CERDA over 12 years ago
Ce commit est sur le repo rudder-doc => http://www.rudder-project.org/redmine/projects/rudder-doc/repository/revisions/4408586c94984665ac81a6491b071deb8ddd5ef6
Updated by Jonathan CLARKE over 12 years ago
- Status changed from Pending technical review to 10
This all looks good to me now, thanks Matthieu!
Updated by Jonathan CLARKE over 12 years ago
- Status changed from 10 to Released
Updated by Nicolas PERRON almost 12 years ago
- Project changed from Rudder to 34
- Category deleted (
11)
Updated by Benoît PECCATTE almost 10 years ago
- Project changed from 34 to Rudder
- Category set to Packaging