-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traffic Ops db/admin
tool depends on passwordless DB connection as root
user
#7202
Comments
Is
strictly true, or is it the case that |
Not sure what the difference between strictly true and Notice how no password is set for the trafficcontrol/traffic_ops/app/db/admin.go Line 307 in 02b9f04
|
If the title is strictly true, then the tool doesn't depend on passwordless DB connections when not run as the root user |
It sounds like you know what I mean, feel free to change the title to whatever you feel is accurate |
I do not. If it's true that db/admin requires you to run it as the root user, that's also an issue IMO. |
The tool didn't depend on passwordless DB connections before the revert in #7198 was merged.
That's not also an issue, it's the issue |
idk the way I see it there are two issues
|
Got it. I'm not sure how to describe one of those 2 points without describing the other, since both cases are related to Postgres default installations, but if you think they should be separated into 2 2 issues, I'll create another one. |
The number of issues isn't important to me, just want to be sure both are fixed. |
This Improvement request (usability, performance, tech debt, etc.) affects these Traffic Control components:
Current behavior:
The Traffic Ops
db/admin
tool relies on thepostgres
user requiring no password when connecting as root.trafficcontrol/traffic_ops/app/db/admin.go
Line 307 in 02b9f04
#7142, which made Traffic Ops run as a non-root user, set
PGPASSWORD
for the entire binary, which worked for Dev CDN in a Box because the password indbconf.yml
, which this strategy setPGPASSWORD
to,trafficcontrol/dev/traffic_ops/dbconf.yml
Line 21 in 02b9f04
happened to be
"twelve12"
, the same password set for thepostgres
user of the Postgres server.trafficcontrol/docker-compose.yml
Line 46 in 02b9f04
However, once #7142 was merged, the Cache Config integration tests started failing, because its
postgres
user passwordtrafficcontrol/cache-config/testing/docker/variables.env
Line 31 in 02b9f04
is different than its
traffic_ops
password (which ends up indbconf.yml
).trafficcontrol/cache-config/testing/docker/variables.env
Lines 35 to 36 in 02b9f04
trafficcontrol/cache-config/testing/docker/traffic_ops/run.sh
Line 98 in 02b9f04
We reverted the change to
db/admin
from #7142 in #7198 to make the Cache Config integration tests pass again without knowing, at the time, why that change made them fail.As a side note, finding the reason the Cache Config integration tests were failing was not straightforward because the errors go only to a file that is not printed to the
to_server
container's output anywhere.trafficcontrol/cache-config/testing/docker/traffic_ops/run.sh
Lines 144 to 145 in 02b9f04
New behavior:
db/admin
should not depend on thepostgres
user requiring no password when the connecting client is theroot
user locally.postgres
password should not be the same as thetraffic_ops
password, because that potentially hides issues like this one.The text was updated successfully, but these errors were encountered: