Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use safer default values #405

Merged
merged 23 commits into from
Jan 12, 2017
Merged

Use safer default values #405

merged 23 commits into from
Jan 12, 2017

Conversation

Kami
Copy link
Member

@Kami Kami commented Jan 9, 2017

This pull request updates the installer script to use more sane and safer default values.

It includes the following changes:

  1. Update MongoDB to listen on localhost only (this is already the case in some versions but not all of them and it's better to be safe than sorry).
  2. Enable authentication for MongoDB and create two users (admin and stackstorm). "stackstorm" user only has access to "st2" database and it's used by StackStorm components to authenticate against MongoDB.
  3. Update RabbitMQ config to listen on localhost only by default (previously it listened on all the interfaces)
  4. Update PostgreSQL config to listen on localhost only by default (already a default value on some distros)
  5. Generate and use random password for Mistral PostgreSQL authentication.

Keep in mind that since those changes are done in the installer script, the only apply to single box installer only installation (doh). When users performs advanced / custom installation, package responsibility is only to get StackStorm components installed on the system - it's up to the user to handle authentication, configuration, etc.

TODO

@Kami Kami changed the title [WIP] Use safer default values Use safer default values Jan 9, 2017
@Kami
Copy link
Member Author

Kami commented Jan 9, 2017

Confirmed that the changes are working and ran basic sanity tests on:

  • Ubuntu 14.04, Ubuntu 16.04
  • Rhel 6
  • Rhel 7

@Kami
Copy link
Member Author

Kami commented Jan 9, 2017

As an alternative, @enykeev suggested to to only configure services to listen / bind to localhost (without setting passwords).

I personally think doing both of them is better and setting a password for dependent services such as MongoDB, RabbitMQ and PostgreSQL is not problematic from the UX perspective, because unlike accessing StackStorm API, user shouldn't access those services directly and they are really just an "implementation detail".

If for some reason the user does need to access those services directly to debug things or similar, they can find passwords in the service config files (st2.conf, mistral.conf).

And having said that, we have already set a password for PostgreSQL database before that change, but it was a static and unsafe password.

@LindsayHill
Copy link
Contributor

LindsayHill commented Jan 9, 2017

I'm totally in favour of switching to "only listen on localhost". Only thing we should maybe do is have a KB article or reference or something about it, saying "this is all you need for single-system install. You can change it if you need to, ST2 won't care. But if you do change it, follow these security precautions..."

For passwords on single-server systems, it's slightly different. I believe that we should encourage/enforce passwords, and I believe in using randomised passwords, rather than defaults. Users don't normally need to access databases, so it should be transparent. But we have to make sure that our docs include notes on how to find your password, and links on how to change it. Because inevitably people will sometimes need to access the DBs directly.

@Kami
Copy link
Member Author

Kami commented Jan 9, 2017

Yeah, I also need to point out and make it explicit that those changes (and installer script itself) is only meant for simple single-server "evaluation" / test deployments.

For advanced and production deployments it's up to the user to configure services, manage passwords, certificates, etc. We should of course document those best practices (see corresponding docs PR), but anything outside that is not really (nor should be) our responsibility.

@@ -442,8 +504,12 @@ install_st2mistral() {
sudo yum -y install ${PACKAGE_URL}
fi

# Configure database settings
sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@localhost/mistral"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use 127.0.0.1 where possible instead of localhost as we agreed before.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, I made that change in MongoDB and RabbitMQ, but I just followed what was already there for Mistral.

But yeah, I agree 127.0.0.1 is safer because localhost could cause issues with IPv6, etc.

@@ -391,8 +469,12 @@ install_st2mistral() {
rm ${PACKAGE_FILENAME}
fi

# Configure database settings
sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@localhost/mistral"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in another comment:

Let's use 127.0.0.1 where possible instead of localhost as we agreed before.

This way we can avoid potential IPv6 issues and similar.
@dzimine
Copy link

dzimine commented Jan 11, 2017

+1 on @LindsayHill
limiting to localhost is no-brainer,

for random password, I want to see the recovery procedure as people will need to access it (one idea is add them to script parameters and randomize only if not set by user),

for docs, let's do "Security hardening" section where we describe what needs to be done and
refer to the script (that's what our isntallation script is doing).

👍

@Kami Kami merged commit a46cc22 into master Jan 12, 2017
@arm4b arm4b deleted the generate_random_passwords branch January 25, 2017 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants