Merge pull request #1645 from NCEAS/feature-1623-auth-administrators

Feature 1623 - helm: separating `administrator.username` & `auth.administrators` properties

docker/docker-entrypoint.sh

@@ -1,18 +1,7 @@
 #!/usr/bin/env bash
 set -e
 
-if [ "$1" = 'catalina.sh' ]; then
-
-    if [ -z "$METACAT_AUTH_ADMINISTRATORS" ] ||
-        [ $(echo "$METACAT_AUTH_ADMINISTRATORS" | grep -c ":") -ne 0 ]; then
-        echo "ERROR: The admin user ($METACAT_AUTH_ADMINISTRATORS) environment variable was either"
-        echo "       not set, or it included a colon (:). It should contain a single username or"
-        echo "       LDAP-style Distinguished Name, not a colon-delimited list of administrators"
-        echo "       (despite its name indicating otherwise - sorry! :-)"
-        exit 2
-    else
-        METACAT_ADMINISTRATOR_USERNAME="$METACAT_AUTH_ADMINISTRATORS"
-    fi
+if [[ $1 = "catalina.sh" ]]; then
 
     # Expand the metacat-index.war
     if [ ! -d webapps/metacat-index ]; then
@@ -64,32 +53,36 @@ if [ "$1" = 'catalina.sh' ]; then
         /var/metacat/.metacat
 
     # if METACAT_DEBUG, set the root log level accordingly
-    if [[ "$METACAT_DEBUG" == "true" ]]; then
+    if [[ $METACAT_DEBUG == "true" ]]; then
       sed -i 's/rootLogger\.level[^\n]*/rootLogger\.level=DEBUG/g' \
       "${TC_HOME}"/webapps/metacat/WEB-INF/classes/log4j2.properties;
       echo "* * * * * * set Log4J rootLogger level to DEBUG * * * * * *"
     fi
 
     # TODO: need a more-elegant way to handle this, without manipulating files
     # If env has an admin/password set, but it does not exist in the passwords file, then add it
-    if [ -n "$METACAT_ADMINISTRATOR_USERNAME" ]; then
-        USER_PWFILE="/var/metacat/users/password.xml"
-
-        if [ -z "$METACAT_ADMINISTRATOR_PASSWORD" ]; then
+    if [[ -z $METACAT_ADMINISTRATOR_USERNAME ]]; then
+        echo "ERROR: Admin user env variable (METACAT_ADMINISTRATOR_USERNAME) not set!"
+        exit 1
+    else
+       if [[ -z $METACAT_ADMINISTRATOR_PASSWORD ]]; then
             echo "ERROR:  The admin user (METACAT_ADMINISTRATOR_USERNAME) environment variable was"
             echo "        set, but no password value was set."
-            echo "        You may use the METACAT_ADMINISTRATOR_PASSWORD environment variable to"
+            echo "        You must use the METACAT_ADMINISTRATOR_PASSWORD environment variable to"
             echo "        set the administrator password"
             exit 2
         fi
-        # look for the user password file, as it is expected if the configuration is completed
-        if [ ! -s "$USER_PWFILE" ] ||
-            [ $(grep -c "$METACAT_ADMINISTRATOR_USERNAME" "$USER_PWFILE") -eq 0 ]; then
+        USER_PWFILE="/var/metacat/users/password.xml"
+
+         # look for the user password file, as it is expected if the configuration is completed
+        if [[ ! -s $USER_PWFILE ]] ||
+            [[ $(grep -c "$METACAT_ADMINISTRATOR_USERNAME" $USER_PWFILE) -eq 0 ]]; then
             # Note: the Java bcrypt library only supports '2a' format hashes, so override the
             # default python behavior so that the hashes created start with '2a' rather than '2y'
             cd "${METACAT_DIR}"/WEB-INF/scripts/bash
-            PASS=$(python3 -c "import bcrypt;print bcrypt.hashpw('$METACAT_ADMINISTRATOR_PASSWORD',\
-                  bcrypt.gensalt(10,prefix='2a'))")
+            PASS=$(python3 -c "import bcrypt; print(bcrypt.hashpw(\
+                '$METACAT_ADMINISTRATOR_PASSWORD'.encode('utf-8'),\
+                bcrypt.gensalt(10,prefix=b'2a')).decode('utf-8'))")
             bash ./authFileManager.sh useradd -h "$PASS" -dn "$METACAT_ADMINISTRATOR_USERNAME"
             cd "$TC_HOME"
             echo
@@ -159,7 +152,7 @@ ${METACAT_ADMINISTRATOR_PASSWORD}&username=${METACAT_ADMINISTRATOR_USERNAME}" \
     echo '**************************************'
 fi
 
-if [[ "$DEVTOOLS" == "true" ]]; then
+if [[ $DEVTOOLS == "true" ]]; then
     echo "Container dev tools mode -- starting infinite loop -- ctrl-c to interrupt..."
     sh -c 'trap "exit" TERM; while true; do sleep 1; done'
 else

helm/admin/secrets.yaml

@@ -20,15 +20,48 @@ kind: Secret
 metadata:
   name: ${RELEASE_NAME}-secrets
 type: Opaque
-stringData:    # # # EDIT THESE VALUES # do not check into GitHub!
-  # METACAT_AUTH_ADMINISTRATORS is a single admin username or LDAP-style Distinguished Name used
-  # to log into the metacat admin pages. It is NOT a list of users (despite its name), and must
-  # not contain any colons (:)
-  METACAT_AUTH_ADMINISTRATORS: your-value-here    # account will be created if not already existing
-  METACAT_ADMINISTRATOR_PASSWORD: your-value-here # account will be created if not already existing
-  POSTGRES_PASSWORD: your-value-here              # for existing postgres account
-  POSTGRES_USER: your-value-here                  # for existing postgres account
+## @param stringData
+## stringData allows specifying write-only, non-binary secret data (eg metacat credentials) in
+## string form. The stringData field is never output when reading from the API.
+##
+## Also see the mappings in the `application.envSecretKeys` property in `metacat.properties`,
+## to determine which metacat property corresponds to each of these environment variables.
+##
+## # # #    NEVER CHECK SECRETS INTO GITHUB!   # # #
+##
+stringData:
+  ## @param METACAT_ADMINISTRATOR_PASSWORD
+  ## The password for the primary admin account that will be used to authenticate with the new
+  ## metacat instance and apply any necessary setup steps, database upgrades etc. upon first run.
+  ## NOTES:
+  ## 1. In values.yaml, the corresponding username must be set as `metacat.administrator.username`,
+  ##    and must be included in the `metacat.auth.administrators` list
+  ## 2. This account will be created if it doesn't already exist in the `passwords.xml` file on
+  ##    metacat's mounted PersistentVolume (see .Values.persistence)
+  ##
+  METACAT_ADMINISTRATOR_PASSWORD: your-value-here
+  ## @param POSTGRES_USER
+  ## the Postgres database username for the (existing) metacat user
+  ##
+  POSTGRES_USER: your-value-here
+  ## @param POSTGRES_PASSWORD
+  ## the Postgres database password for the (existing) metacat user
+  ##
+  POSTGRES_PASSWORD: your-value-here
+  ## @param METACAT_GUID_DOI_USERNAME
+  ## @param METACAT_GUID_DOI_PASSWORD
+  ## if metacat.guid.doi.enabled is set to `true` in values.yaml, then METACAT_GUID_DOI_USERNAME
+  ## and METACAT_GUID_DOI_PASSWORD must be set, in order to enable publishing of Digital Object
+  ## Identifiers (see doi.org).
+  ##
   METACAT_GUID_DOI_USERNAME: your-value-here      # can be ignored if not using DOI
   METACAT_GUID_DOI_PASSWORD: your-value-here      # can be ignored if not using DOI
+  ## @param METACAT_REPLICATION_PRIVATE_KEY_PASSWORD
+  ## if CN -> CN replication is enabled, then METACAT_GUID_DOI_USERNAME
+  ## and METACAT_GUID_DOI_PASSWORD must be set, in order to enable publishing of Digital Object
+  ## Identifiers (see doi.org).
+  ##
   METACAT_REPLICATION_PRIVATE_KEY_PASSWORD: ""    # can be ignored if not using CN -> CN replication
 data: {}
+## TODO: include pem file to be nmounted at /etc/dataone/client/certs/METACAT1.pem as defined in
+##  metacat.properties for replication.certificate.file & replication.privatekey.file

helm/templates/statefulset.yaml

@@ -52,6 +52,8 @@ spec:
           env:
             - name: METACAT_DEBUG
               value: {{ ternary "true" "false" .Values.image.debug | quote }}
+            - name: METACAT_ADMINISTRATOR_USERNAME
+              value: {{ index .Values.metacat "administrator.username" }}
           envFrom:
             - secretRef:
                 name: {{ .Release.Name }}-secrets

helm/values.yaml

@@ -6,20 +6,44 @@
 ## in this section comprise the minimum set of values needed to run the app and the test suite on
 ## a development machine.
 ##
+## NOTE that certain credentials must also be provided, via Kubernetes Secrets, in order for
+## metacat to function correctly. These credentials are listed in ./admin/secrets.yaml, in the
+## form of environment variables expected by metacat at runtime. Also see the mappings in the
+## `application.envSecretKeys` property in `metacat.properties`, to determine which metacat
+## property corresponds to each of these environment variables
+##
 metacat:
   ## @param metacat.application.context
   ## the application context to use - for example, if your application is hosted at
   ## https://mydomain.org, and you define the context to be "metacat", then the url to access the
   ## application will be https://mydomain.org/metacat/
   ##
   application.context: metacat
+  ## @param auth.admin.setupUsername
+  ## The primary admin username that will be used to authenticate with the new metacat instance
+  ## and apply any necessary setup steps, database upgrades etc. upon first run.
+  ## NOTES:
+  ## 1. The corresponding password must be set as a Secret (see ./admin/secrets.yaml), with the
+  ##    key METACAT_ADMINISTRATOR_PASSWORD
+  ## 2. This account will be created if it doesn't already exist in the `passwords.xml` file on
+  ##    metacat's mounted PersistentVolume (see .Values.persistence)
+  ## 3. This username MUST appear on the list of authorized administrators, otherwise
+  ##    container startup will fail (see @param auth.administrators)
+  ##
+  administrator.username: admin@localhost
+  ## METACAT_AUTH_ADMINISTRATORS is a colon-separated list of admin usernames or LDAP-style
+  ## Distinguished Names denoting the users who may log into metacat with administrator
+  ## privileges.
+  ##
+  auth.administrators: admin@localhost:uid=jones,o=NCEAS,dc=ecoinformatics,dc=org
   ## @param database.connectionURI
   ## connection URI for the postgres database, in the form: jdbc:postgresql://hostname/database-name
   ## host.docker.internal is equivalent to "localhost"
   ##
   database.connectionURI: jdbc:postgresql://host.docker.internal/metacat
   ## Allow users to publish Digital Object Identifiers for the data in this metacat instance?
-  ## (see doi.org). If true, you will also need to define guid.doi.username $ guid.doi.password, 
+  ## (see doi.org).
+  ## If true, you will also need to define guid.doi.username $ guid.doi.password (see secrets.yaml)
   ## and either override or use the defaults in metacat.properties for all the entries that begin
   ## with: "guid.doi."
   ##
@@ -128,9 +152,9 @@ persistence:
   enabled: true
   ## @param persistence.storageClass Storage class of backing PVC
   ##
-  ## If <storageClass> is defined -- storageClassName: <storageClass>
+  ## If <storageClass> is defined,  storageClassName: <storageClass>
   ##
-  ## If <storageClass> set to "-"  -- storageClassName: "" -- which disables dynamic PV provisioning
+  ## If <storageClass> set to "-",  storageClassName: ""  -- which disables dynamic PV provisioning
   ##   (meaning claim can only be bound to an existing PV, not a dynamically-provisioned one) with
   ##   no class (no annotation, or one set equal to "")
   ##
@@ -139,7 +163,7 @@ persistence:
   ## Instead, inspect your cluster to see what stoprageClass is set as default:
   ##    $  kubectl get storageclass
   ## ...and then explicitly set storageClass to match the name of the default storageclass
-  ## (e.g. for Rancher Desktop -- storageclass: local-path
+  ## (e.g. for Rancher Desktop, use:   storageclass: local-path)
   ##
   storageClass: local-path
   ## @param persistence.existingClaim

lib/metacat.properties

@@ -57,8 +57,7 @@ application.readOnlyMode=false
 #  org.dataone.configuration.Settings
 #
 application.envSecretKeys=\
-  auth.administrators=METACAT_AUTH_ADMINISTRATORS   \
-  :database.user=POSTGRES_USER                      \
+   database.user=POSTGRES_USER                      \
   :database.password=POSTGRES_PASSWORD              \
   :guid.doi.username=METACAT_GUID_DOI_USERNAME      \
   :guid.doi.password=METACAT_GUID_DOI_PASSWORD      \