User story (meta) #860

Manage the passwords during the installation

Added by Jonathan CLARKE over 3 years ago. Updated over 1 year ago.

Status:Released Start date:2011-02-16
Priority:2 Due date:2012-06-18
Assignee:Matthieu CERDA % Done:

100%

Category:-
Target version:Rudder - 2.4.0~beta3

Description

As of now, the Rudder packages and other scripts assume that some passwords are fixed :
  • WebDAV : rudder/rudder (defined in Apache config but sent out to nodes via generated promises)
  • PostgreSQL user
  • OpenLDAP manager
  • Maybe others, this is not exhaustive !

We should modify our postint scripts or anything to generate automatically random passwords (or ask the user for them) and propagate these passwords to all the concerned config files.

An option for the WebDAV password would be to put it in the rudder-web config file, and have Rudder read it in, and make it available to Techniques as a special variable, so that the Inventory Technique could use it and send it out to nodes.

Associated revisions

Revision 3deeec81
Added by Matthieu CERDA about 2 years ago

Refs #860: Add a password file generation script to rudder-init.sh

Revision 581fb61d
Added by Matthieu CERDA about 2 years ago

Refs #860: Added a password checking promise to the distributePolicy, without WebDAV checking

Revision f7143830
Added by Matthieu CERDA about 2 years ago

Fixes #860: The password checking Technique is finally ready, yay !

Revision 40c9ebb3
Added by Matthieu CERDA about 2 years ago

Refs #860: Corrected a small error in the psql part of password check

Revision 5a566a95
Added by Matthieu CERDA about 2 years ago

Refs #860: TRIVIAL: added a linux:: class to prevent reports 'explosion'

Revision b16b8972
Added by Nicolas CHARLES about 2 years ago

Refs #860 : correct the url to the inventory endpoint

Revision 2d388bdd
Added by Matthieu CERDA about 2 years ago

Refs #860: A disclaimer is included in all files likely to be edited by the passwordCheck promise

Revision 8a54dd9f
Added by Matthieu CERDA about 2 years ago

Refs #860: Inserted a small explication about how rudder-password.conf works and removed usernames from it

Revision 0f2b65fe
Added by Matthieu CERDA about 2 years ago

Fixes #860: Made rudder-init.sh only edit the password file instead or recreating it from scratch

Revision 4408586c
Added by Matthieu CERDA about 2 years ago

Fixes #860: The documentation about the password checking mechanism in Rudder has been redacted

History

#1 Updated by Jonathan CLARKE over 3 years ago

  • Target version changed from 7 to 9

#2 Updated by Jonathan CLARKE over 3 years ago

  • Target version changed from 9 to Ideas (2.3 specific)

#3 Updated by Jonathan CLARKE almost 3 years ago

  • Target version changed from Ideas (2.3 specific) to 19

#4 Updated by Jonathan CLARKE almost 3 years ago

  • Target version changed from 19 to 21

#5 Updated by Jonathan CLARKE almost 3 years ago

  • Target version changed from 21 to 23

#6 Updated by Jonathan CLARKE almost 3 years ago

  • Target version changed from 23 to Ideas (2.4 specific)

#7 Updated by Jonathan CLARKE almost 3 years ago

  • Needs translating set to Yes

#8 Updated by Matthieu CERDA almost 3 years ago

  • Subject changed from Gérer les mots de passe à l'installation to Manage the passwords during the installation
  • Description updated (diff)
  • Needs translating changed from Yes to No

#9 Updated by François ARMAND almost 3 years ago

  • Target version changed from Ideas (2.4 specific) to Ideas (2.5 specific)

#10 Updated by Jonathan CLARKE about 2 years ago

  • Description updated (diff)
  • Status changed from New to 2
  • Assignee set to Matthieu CERDA
  • Target version changed from Ideas (2.5 specific) to 46

#11 Updated by Matthieu CERDA about 2 years ago

I found a link that gives some tips to generate a random password without installing a new dependency:

http://foolab.org/node/1436

I will use this to generate a mediumly solid password:

dd if=/dev/urandom count=128 bs=1 2>&1 | md5sum | cut -b-12

#12 Updated by Matthieu CERDA about 2 years ago

Or even better: head -c 128 /dev/urandom | md5sum | cut -b-12

#13 Updated by Matthieu CERDA about 2 years ago

  • Status changed from 2 to Discussion
  • Assignee changed from Matthieu CERDA to Nicolas CHARLES
  • % Done changed from 0 to 80

As of now, I have a working shell script automating the password change. However, I got two questions:

  • Do we want to make it usable with custom passwords ? (for now the script auto-generates passwords)
  • Why does Rudder refuses to launch after this script has been run, throwing LDAP Invalid Credentials at my sorry face whereas using standard ldap utilities I can see that the password is perfectly fine in both the rudder-web.properties and the slapd.conf ? Is there a hardcoded password somewhere in the WebApp that I could not see ?

Testing procedure:

  • PSQL:
psql -U rudder -d rudder -W -h localhost
  • LDAP:
/opt/rudder/bin/ldapwhoami -h localhost -D "cn=Manager,cn=rudder-configuration" -x -W

#14 Updated by Matthieu CERDA about 2 years ago

  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE

Never mind, I did not take the inventory-web into account. It was the inventory webapp that was complaining !

Forget the second question !

#15 Updated by Jonathan CLARKE about 2 years ago

  • Due date set to 2012-06-18
  • Assignee changed from Jonathan CLARKE to Matthieu CERDA
As discussed orally, the approach we'd like to take for this is as follows:
  • Implement logic in CFEngine to change each password in all appropriate places. This should be integrated in the distributePolicy Technique.
  • Add a random password generation to the post-install script of appropriate packages.

To ensure we have a single definition point for all passwords, we will create a file /opt/rudder/etc/rudder-passwords.conf, with contents like this:

RUDDER_WEBDAV_USERNAME=rudder
RUDDER_WEBDAV_PASSWORD=secret
RUDDER_PSQL_USER=rudder
RUDDER_PSQL_PASSWORD=secret2
RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc...
RUDDER_OPENLDAP_BIND_PASSWORD=secret3

This file should be created by packaging, with particular caution to ensure that it is always mode 600. A check to this effect should also be added to the distributePolicy Technique.

The distributePolicy Technique can then read passwords from this file, and update them in the appropriate configuration files, restarting or reloading services when they are changed and if necessary.

Last but not least, there is one case that is trickier than the others: the WebDAV password will need to be read in by Rudder-webapp, from the rudder-web.properties file (this is important, it mustn't be read in directly from the rudder-passwords.conf files) and exported as a "special variable" for the distributePolicy Technique (like CMDBENDPOINT and CLIENTSFOLDERS). You'll need to ask a Rudder developer, probably Jean, to help you with this.

#16 Updated by Jonathan CLARKE about 2 years ago

I noticed this commit, https://github.com/Normation/rudder-techniques/commit/581fb61d56e544bae540d348b5ed20ed265b7ac8, although it doesn't seem to have been correctly linked to this ticket.

I've added some comments in GitHub, please advise.

#17 Updated by Jonathan CLARKE about 2 years ago

Another comment: please use "=" as the key/value separator in /opt/rudder/etc/rudder-passwords.conf as specified in this ticket (see comment #15). Using ":" is very unusual, and confusing, to be avoided.

#18 Updated by Matthieu CERDA about 2 years ago

  • Status changed from Discussion to In progress

Well, I am sorry but using "=" is kind of difficult for one simple reason: "RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc..."

The equal sign is used both as a separator for the key and value and for the cn definition, which justs messes up the variable definition. But I am open to any other separator that might be used in the password file of course.

I'll look at the comments.

#19 Updated by Jonathan CLARKE about 2 years ago

Matthieu CERDA wrote:

Well, I am sorry but using "=" is kind of difficult for one simple reason: "RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc..."

The equal sign is used both as a separator for the key and value and for the cn definition, which justs messes up the variable definition. But I am open to any other separator that might be used in the password file of course.

Right, I'm sure there's a reason, but if you encounter problems with the specs that doesn't mean they should be ignored! You must explain any such changes in tickets, simply changing specs silently is not something you can do.

I want our file to be in a standard, common file format (principle of least astonishment), so I'd rather see one of:
  • One or several spaces or tabs, ie : "key value" (as in slapd.conf)
  • " = " as a separator (an equals sign surrounded by spaces)

#20 Updated by Matthieu CERDA about 2 years ago

  • % Done changed from 80 to 90

The Technique is nearly ready. There are just some more quirks to be addressed with the management of the postgresql password and I still have to use the code just commited by NCH to get the WebDAV password, but else we are good !

#21 Updated by Jonathan CLARKE about 2 years ago

  • Target version changed from 46 to 47

#22 Updated by Matthieu CERDA about 2 years ago

  • Status changed from In progress to Pending technical review
  • % Done changed from 90 to 100

#23 Updated by Nicolas PERRON about 2 years ago

Matthieu, please check that postgresql password is really changed in /etc/rsyslog.d/rudder.conf

#24 Updated by Matthieu CERDA about 2 years ago

  • Status changed from Pending technical review to Discussion
  • Assignee changed from Matthieu CERDA to Nicolas CHARLES

Nicolas, I do not agree with your commit commit:b16b897251fa8eab53148c48e1bcb016cfdc6e27 . You are using the internal endpoint URL to send a motd on ( thus creating a lot of useless error messages in the logs as the system motd is obviously and invalid inventory) and not the external URL ( Like http://localhost/inventories/ or http://<machine host name>/inventories/ ).

This is blocking me for the resolution of #2629, may we revert this ASAP ?

#25 Updated by Jonathan CLARKE about 2 years ago

Matthieu CERDA wrote:

Nicolas, I do not agree with your commit commit:b16b897251fa8eab53148c48e1bcb016cfdc6e27 . You are using the internal endpoint URL to send a motd on ( thus creating a lot of useless error messages in the logs as the system motd is obviously and invalid inventory) and not the external URL ( Like http://localhost/inventories/ or http://<machine host name>/inventories/ ).

This is blocking me for the resolution of #2629, may we revert this ASAP ?

Agreed. Please revert.

#26 Updated by Matthieu CERDA about 2 years ago

  • Status changed from Discussion to Pending technical review
  • Assignee changed from Nicolas CHARLES to Matthieu CERDA

It is done! Thank you guys for being this fast to respond :D

#27 Updated by Jonathan CLARKE about 2 years ago

  • Target version changed from 47 to 50

#28 Updated by Jonathan CLARKE about 2 years ago

  • Target version changed from 50 to 2.4.0~beta3

#29 Updated by Jonathan CLARKE about 2 years ago

  • Status changed from Pending technical review to Discussion

Matthieu,

This last commit is really not DRY, you can't repeat the huge comment like that in two different files. A DRY approach would be to define the comment in the file installed by the package, then edit it using sed in rudder-init.sh.

#30 Updated by Matthieu CERDA about 2 years ago

  • Status changed from Discussion to Pending technical review

#31 Updated by Jonathan CLARKE about 2 years ago

  • Status changed from Pending technical review to In progress
  • % Done changed from 100 to 90

Thank you Matthieu.

Now please add documentation about this in rudder-doc!

#32 Updated by Matthieu CERDA about 2 years ago

  • Status changed from In progress to Pending technical review
  • % Done changed from 90 to 100

Applied in changeset commit:4408586c94984665ac81a6491b071deb8ddd5ef6.

#34 Updated by Jonathan CLARKE about 2 years ago

  • Status changed from Pending technical review to Pending functional review

This all looks good to me now, thanks Matthieu!

#35 Updated by Jonathan CLARKE about 2 years ago

  • Status changed from Pending functional review to Released

#36 Updated by Nicolas PERRON over 1 year ago

  • Project changed from Rudder to packages
  • Category deleted (11)

Also available in: Atom PDF