-
-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use safer default values #405
Conversation
by default. That's already a default in some versions, but we still should do it bo be on the safe side.
admin and stackstorm user which is used for database access.
Confirmed that the changes are working and ran basic sanity tests on:
|
As an alternative, @enykeev suggested to to only configure services to listen / bind to localhost (without setting passwords). I personally think doing both of them is better and setting a password for dependent services such as MongoDB, RabbitMQ and PostgreSQL is not problematic from the UX perspective, because unlike accessing StackStorm API, user shouldn't access those services directly and they are really just an "implementation detail". If for some reason the user does need to access those services directly to debug things or similar, they can find passwords in the service config files (st2.conf, mistral.conf). And having said that, we have already set a password for PostgreSQL database before that change, but it was a static and unsafe password. |
I'm totally in favour of switching to "only listen on localhost". Only thing we should maybe do is have a KB article or reference or something about it, saying "this is all you need for single-system install. You can change it if you need to, ST2 won't care. But if you do change it, follow these security precautions..." For passwords on single-server systems, it's slightly different. I believe that we should encourage/enforce passwords, and I believe in using randomised passwords, rather than defaults. Users don't normally need to access databases, so it should be transparent. But we have to make sure that our docs include notes on how to find your password, and links on how to change it. Because inevitably people will sometimes need to access the DBs directly. |
Yeah, I also need to point out and make it explicit that those changes (and installer script itself) is only meant for simple single-server "evaluation" / test deployments. For advanced and production deployments it's up to the user to configure services, manage passwords, certificates, etc. We should of course document those best practices (see corresponding docs PR), but anything outside that is not really (nor should be) our responsibility. |
@@ -442,8 +504,12 @@ install_st2mistral() { | |||
sudo yum -y install ${PACKAGE_URL} | |||
fi | |||
|
|||
# Configure database settings | |||
sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@localhost/mistral" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use 127.0.0.1
where possible instead of localhost
as we agreed before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I made that change in MongoDB and RabbitMQ, but I just followed what was already there for Mistral.
But yeah, I agree 127.0.0.1 is safer because localhost could cause issues with IPv6, etc.
@@ -391,8 +469,12 @@ install_st2mistral() { | |||
rm ${PACKAGE_FILENAME} | |||
fi | |||
|
|||
# Configure database settings | |||
sudo crudini --set /etc/mistral/mistral.conf database connection "postgresql://mistral:${ST2_POSTGRESQL_PASSWORD}@localhost/mistral" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as in another comment:
Let's use
127.0.0.1
where possible instead oflocalhost
as we agreed before.
This way we can avoid potential IPv6 issues and similar.
+1 on @LindsayHill for random password, I want to see the recovery procedure as people will need to access it (one idea is add them to script parameters and randomize only if not set by user), for docs, let's do "Security hardening" section where we describe what needs to be done and 👍 |
This pull request updates the installer script to use more sane and safer default values.
It includes the following changes:
Keep in mind that since those changes are done in the installer script, the only apply to single box installer only installation (doh). When users performs advanced / custom installation, package responsibility is only to get StackStorm components installed on the system - it's up to the user to handle authentication, configuration, etc.
TODO