Hi Ontotext,
I wanted to report some inconsistency in password / passwordHash values in this chart.
I was trying to configure the chart to deploy a standalone graphdb SE instance (no clustering), with security and initial-users, while preserving idempotency.
Here is how my values override looks like:
---
fullnameOverride: "graphdb"
image:
tag: "10.8.11"
replicas: 1
resources:
limits:
memory: 4Gi
requests:
cpu: 500m
memory: 4Gi
license:
existingSecret: "graphdb-license"
licenseFilename: license
configuration:
externalUrl: http://graphdb-backends.127.0.0.1.nip.io
ingress:
enabled: true
className: "nginx"
persistence:
volumeClaimTemplate:
spec:
resources:
requests:
storage: 1Gi
security:
enabled: true
admin:
## Hash bcrypt of the password
# echo "{bcrypt}$(htpasswd -bnBC 10 "" "perfect4admin" | tr -d ':\n')"
initialPassword: "{bcrypt}$2y$10$jQE5GfMb2lAfyIpgbo/brO.Z.bIZ6qAceG0Bj3CEjzuYHf/bRUblq"
provisioner:
## Hash bcrypt of the password for idempotence
# htpasswd -bnBC 10 "" "perfect4provisioner" | tr -d ':\n'
passwordHash: "$2y$10$pE0I/7PON75uHu1d3eaY/OAhSUyibL6IDyi0btMAxFRbpc3G7cLYi"
initialUsers:
users:
user:
username: user
## Hash bcrypt of the password
# echo "{bcrypt}$(htpasswd -bnBC 10 "" "perfect4user" | tr -d ':\n')"
password: "{bcrypt}$2y$10$FYBmiy9Wmkhwno7qEr8lQOaLMRcskJm3GkVFtiDCWaRgulOcC3APK"
grantedAuthorities:
- ROLE_MONITORING
- READ_REPO_*
- WRITE_REPO_*I noticed the following:
- the
security.provisioner.password attribute is unused (actually it is used, but only for backup/clustering jobs) ; notice that it's value (when used) is a cleartext password which ends up encoded in a secret used by backup/clustering jobs
- the
security.provisioner.passwordHash contains a password hash (without the "{bcrypt}" prefix)
- the
security.admin.initialPassword is named "password" but the content is a password hash (with the "{bcrypt}" prefix)
- the
security.initialUsers[*].password fields are passed verbatim to users.js ; the content can be an encrypted hash with the "{bcrypt}" prefix or a clear text password
Would it be possible to make consistent that:
- attributes with name ending in
password contain cleartext password everywhere in the chart
- attributes with name ending in
passwordHash contain a password hash (with the "{bcrypt}" prefix, either implicit or explicit, but everywhere in the chart
Would that be a reasonable request?
Thanks a lot
Hi Ontotext,
I wanted to report some inconsistency in password / passwordHash values in this chart.
I was trying to configure the chart to deploy a standalone graphdb SE instance (no clustering), with security and initial-users, while preserving idempotency.
Here is how my values override looks like:
I noticed the following:
security.provisioner.passwordattribute is unused (actually it is used, but only for backup/clustering jobs) ; notice that it's value (when used) is a cleartext password which ends up encoded in a secret used by backup/clustering jobssecurity.provisioner.passwordHashcontains a password hash (without the "{bcrypt}" prefix)security.admin.initialPasswordis named "password" but the content is a password hash (with the "{bcrypt}" prefix)security.initialUsers[*].passwordfields are passed verbatim to users.js ; the content can be an encrypted hash with the "{bcrypt}" prefix or a clear text passwordWould it be possible to make consistent that:
passwordcontain cleartext password everywhere in the chartpasswordHashcontain a password hash (with the "{bcrypt}" prefix, either implicit or explicit, but everywhere in the chartWould that be a reasonable request?
Thanks a lot