Project

General

Profile

Actions

User story #860

closed

Manage the passwords during the installation

Added by Jonathan CLARKE about 13 years ago. Updated about 9 years ago.

Status:
Released
Priority:
2
Assignee:
Matthieu CERDA
Category:
Packaging
Target version:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

As of now, the Rudder packages and other scripts assume that some passwords are fixed :
  • WebDAV : rudder/rudder (defined in Apache config but sent out to nodes via generated promises)
  • PostgreSQL user
  • OpenLDAP manager
  • Maybe others, this is not exhaustive !

We should modify our postint scripts or anything to generate automatically random passwords (or ask the user for them) and propagate these passwords to all the concerned config files.

An option for the WebDAV password would be to put it in the rudder-web config file, and have Rudder read it in, and make it available to Techniques as a special variable, so that the Inventory Technique could use it and send it out to nodes.

Actions #1

Updated by Jonathan CLARKE about 13 years ago

  • Target version changed from 7 to 9
Actions #2

Updated by Jonathan CLARKE almost 13 years ago

  • Target version changed from 9 to 10
Actions #3

Updated by Jonathan CLARKE over 12 years ago

  • Target version changed from 10 to 19
Actions #4

Updated by Jonathan CLARKE over 12 years ago

  • Target version changed from 19 to 21
Actions #5

Updated by Jonathan CLARKE over 12 years ago

  • Target version changed from 21 to 23
Actions #6

Updated by Jonathan CLARKE over 12 years ago

  • Target version changed from 23 to 18
Actions #8

Updated by Matthieu CERDA over 12 years ago

  • Subject changed from Gérer les mots de passe à l'installation to Manage the passwords during the installation
  • Description updated (diff)
Actions #9

Updated by François ARMAND over 12 years ago

  • Target version changed from 18 to 24
Actions #10

Updated by Jonathan CLARKE almost 12 years ago

  • Description updated (diff)
  • Status changed from New to 2
  • Assignee set to Matthieu CERDA
  • Target version changed from 24 to 46
Actions #11

Updated by Matthieu CERDA almost 12 years ago

I found a link that gives some tips to generate a random password without installing a new dependency:

http://foolab.org/node/1436

I will use this to generate a mediumly solid password:

dd if=/dev/urandom count=128 bs=1 2>&1 | md5sum | cut -b-12

Actions #12

Updated by Matthieu CERDA almost 12 years ago

Or even better: head -c 128 /dev/urandom | md5sum | cut -b-12

Actions #13

Updated by Matthieu CERDA almost 12 years ago

  • Status changed from 2 to Discussion
  • Assignee changed from Matthieu CERDA to Nicolas CHARLES
  • % Done changed from 0 to 80

As of now, I have a working shell script automating the password change. However, I got two questions:

  • Do we want to make it usable with custom passwords ? (for now the script auto-generates passwords)
  • Why does Rudder refuses to launch after this script has been run, throwing LDAP Invalid Credentials at my sorry face whereas using standard ldap utilities I can see that the password is perfectly fine in both the rudder-web.properties and the slapd.conf ? Is there a hardcoded password somewhere in the WebApp that I could not see ?

Testing procedure:

  • PSQL:
psql -U rudder -d rudder -W -h localhost
  • LDAP:
/opt/rudder/bin/ldapwhoami -h localhost -D "cn=Manager,cn=rudder-configuration" -x -W
Actions #14

Updated by Matthieu CERDA almost 12 years ago

  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE

Never mind, I did not take the inventory-web into account. It was the inventory webapp that was complaining !

Forget the second question !

Actions #15

Updated by Jonathan CLARKE almost 12 years ago

  • Due date set to 2012-06-18
  • Assignee changed from Jonathan CLARKE to Matthieu CERDA
As discussed orally, the approach we'd like to take for this is as follows:
  • Implement logic in CFEngine to change each password in all appropriate places. This should be integrated in the distributePolicy Technique.
  • Add a random password generation to the post-install script of appropriate packages.

To ensure we have a single definition point for all passwords, we will create a file /opt/rudder/etc/rudder-passwords.conf, with contents like this:

RUDDER_WEBDAV_USERNAME=rudder
RUDDER_WEBDAV_PASSWORD=secret
RUDDER_PSQL_USER=rudder
RUDDER_PSQL_PASSWORD=secret2
RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc...
RUDDER_OPENLDAP_BIND_PASSWORD=secret3

This file should be created by packaging, with particular caution to ensure that it is always mode 600. A check to this effect should also be added to the distributePolicy Technique.

The distributePolicy Technique can then read passwords from this file, and update them in the appropriate configuration files, restarting or reloading services when they are changed and if necessary.

Last but not least, there is one case that is trickier than the others: the WebDAV password will need to be read in by Rudder-webapp, from the rudder-web.properties file (this is important, it mustn't be read in directly from the rudder-passwords.conf files) and exported as a "special variable" for the distributePolicy Technique (like CMDBENDPOINT and CLIENTSFOLDERS). You'll need to ask a Rudder developer, probably Jean, to help you with this.

Actions #16

Updated by Jonathan CLARKE almost 12 years ago

I noticed this commit, https://github.com/Normation/rudder-techniques/commit/581fb61d56e544bae540d348b5ed20ed265b7ac8, although it doesn't seem to have been correctly linked to this ticket.

I've added some comments in GitHub, please advise.

Actions #17

Updated by Jonathan CLARKE almost 12 years ago

Another comment: please use "=" as the key/value separator in /opt/rudder/etc/rudder-passwords.conf as specified in this ticket (see comment #15). Using ":" is very unusual, and confusing, to be avoided.

Actions #18

Updated by Matthieu CERDA almost 12 years ago

  • Status changed from Discussion to In progress

Well, I am sorry but using "=" is kind of difficult for one simple reason: "RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc..."

The equal sign is used both as a separator for the key and value and for the cn definition, which justs messes up the variable definition. But I am open to any other separator that might be used in the password file of course.

I'll look at the comments.

Actions #19

Updated by Jonathan CLARKE almost 12 years ago

Matthieu CERDA wrote:

Well, I am sorry but using "=" is kind of difficult for one simple reason: "RUDDER_OPENLDAP_BIND_DN=cn=Manager,dc..."

The equal sign is used both as a separator for the key and value and for the cn definition, which justs messes up the variable definition. But I am open to any other separator that might be used in the password file of course.

Right, I'm sure there's a reason, but if you encounter problems with the specs that doesn't mean they should be ignored! You must explain any such changes in tickets, simply changing specs silently is not something you can do.

I want our file to be in a standard, common file format (principle of least astonishment), so I'd rather see one of:
  • One or several spaces or tabs, ie : "key value" (as in slapd.conf)
  • " = " as a separator (an equals sign surrounded by spaces)
Actions #20

Updated by Matthieu CERDA almost 12 years ago

  • % Done changed from 80 to 90

The Technique is nearly ready. There are just some more quirks to be addressed with the management of the postgresql password and I still have to use the code just commited by NCH to get the WebDAV password, but else we are good !

Actions #21

Updated by Jonathan CLARKE almost 12 years ago

  • Target version changed from 46 to 47
Actions #22

Updated by Matthieu CERDA almost 12 years ago

  • Status changed from In progress to Pending technical review
  • % Done changed from 90 to 100
Actions #23

Updated by Nicolas PERRON over 11 years ago

Matthieu, please check that postgresql password is really changed in /etc/rsyslog.d/rudder.conf

Actions #24

Updated by Matthieu CERDA over 11 years ago

  • Status changed from Pending technical review to Discussion
  • Assignee changed from Matthieu CERDA to Nicolas CHARLES

Nicolas, I do not agree with your commit commit:b16b897251fa8eab53148c48e1bcb016cfdc6e27 . You are using the internal endpoint URL to send a motd on ( thus creating a lot of useless error messages in the logs as the system motd is obviously and invalid inventory) and not the external URL ( Like http://localhost/inventories/ or http://<machine host name>/inventories/ ).

This is blocking me for the resolution of #2629, may we revert this ASAP ?

Actions #25

Updated by Jonathan CLARKE over 11 years ago

Matthieu CERDA wrote:

Nicolas, I do not agree with your commit commit:b16b897251fa8eab53148c48e1bcb016cfdc6e27 . You are using the internal endpoint URL to send a motd on ( thus creating a lot of useless error messages in the logs as the system motd is obviously and invalid inventory) and not the external URL ( Like http://localhost/inventories/ or http://<machine host name>/inventories/ ).

This is blocking me for the resolution of #2629, may we revert this ASAP ?

Agreed. Please revert.

Actions #26

Updated by Matthieu CERDA over 11 years ago

  • Status changed from Discussion to Pending technical review
  • Assignee changed from Nicolas CHARLES to Matthieu CERDA

It is done! Thank you guys for being this fast to respond :D

Actions #27

Updated by Jonathan CLARKE over 11 years ago

  • Target version changed from 47 to 50
Actions #28

Updated by Jonathan CLARKE over 11 years ago

  • Target version changed from 50 to 2.4.0~beta3
Actions #29

Updated by Jonathan CLARKE over 11 years ago

  • Status changed from Pending technical review to Discussion

Matthieu,

This last commit is really not DRY, you can't repeat the huge comment like that in two different files. A DRY approach would be to define the comment in the file installed by the package, then edit it using sed in rudder-init.sh.

Actions #30

Updated by Matthieu CERDA over 11 years ago

  • Status changed from Discussion to Pending technical review

Applied in changeset commit:0f2b65fe23ada13e8b0cf975c05dcbf2697b9d6e.

Actions #31

Updated by Jonathan CLARKE over 11 years ago

  • Status changed from Pending technical review to In progress
  • % Done changed from 100 to 90

Thank you Matthieu.

Now please add documentation about this in rudder-doc!

Actions #32

Updated by Matthieu CERDA over 11 years ago

  • Status changed from In progress to Pending technical review
  • % Done changed from 90 to 100

Applied in changeset commit:4408586c94984665ac81a6491b071deb8ddd5ef6.

Actions #34

Updated by Jonathan CLARKE over 11 years ago

  • Status changed from Pending technical review to 10

This all looks good to me now, thanks Matthieu!

Actions #35

Updated by Jonathan CLARKE over 11 years ago

  • Status changed from 10 to Released
Actions #36

Updated by Nicolas PERRON about 11 years ago

  • Project changed from Rudder to 34
  • Category deleted (11)
Actions #37

Updated by Benoît PECCATTE about 9 years ago

  • Project changed from 34 to Rudder
  • Category set to Packaging
Actions

Also available in: Atom PDF