Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass omero.db.pass via envvar to bin/omero admin reindex #3161

Merged
merged 1 commit into from Nov 5, 2014
Merged

Pass omero.db.pass via envvar to bin/omero admin reindex #3161

merged 1 commit into from Nov 5, 2014

Conversation

sbesson
Copy link
Member

@sbesson sbesson commented Oct 31, 2014

For security reasons, the DB password is not passed as an xargs to the reindex
command. This commit fixes this issue by internally setting the JAVA_OPTS
environment variable which should only be visible to the process owner (and
root).

See https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7673&p=14962#p14952

To test this PR:

  • set up a server with a user/password
  • check bin/omero admin reindex --reset 0 fails without this PR
  • check bin/omero admin reindex --reset 0 passes with this PR
  • check JAVA_OPTS="-Dlogback.configurationFile=stderr.xml" bin/omero admin reindex --reset 0 passes with this PR
  • in both cases above, check the environment variable does not leak for another user than the one doing the reindex (e.g. via ps auxe)

@sbesson
Pass omero.db.pass via envvar to bin/omero admin reindex
787a5ee 
For security reasons, the DB password is not passed as an xargs to the reindex
command. This commit fixes this issue by internally setting the JAVA_OPTS
environment variable which should only be visible to the process owner (and
root).
@jburel jburel added the develop label Oct 31, 2014
@ximenesuk
Copy link
Contributor

This works okay, the problem I have is that it works without this PR too. Maybe that's some local problem.

@sbesson
Copy link
Member Author

sbesson commented Nov 3, 2014

@ximenesuk: most likely, I had to modify my pg_hba.conf to force password checks as follows since default Homebrew installation will come with trust across the board.

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             sebastien                                     trust
local   db_omero             db_user                                     md5
# IPv4 local connections:
host    all             sebastien             127.0.0.1/32            trust
host    all             db_user             127.0.0.1/32            md5
# IPv6 local connections:
host    all             sebastien             ::1/128                 trust
host    all             db_user             ::1/128                 md5

@manics
Copy link
Member

manics commented Nov 5, 2014

bin/omero admin reindex --reset 0 fails on OMERO.server-5.0.5-ice35-b47, works on OMERO.server-5.1.0-m1-530-2e609f5-ice35-b321

@joshmoore
Copy link
Member

Thank. Merging.

joshmoore added a commit that referenced this pull request Nov 5, 2014
@joshmoore
Merge pull request #3161 from sbesson/cli_reindex_dbpass
4855c44 
Pass omero.db.pass via envvar to bin/omero admin reindex
@joshmoore joshmoore merged commit 4855c44 into ome:develop Nov 5, 2014
@sbesson sbesson deleted the cli_reindex_dbpass branch November 5, 2014 13:32
@sbesson sbesson mentioned this pull request Nov 5, 2014
Merged
@sbesson
Copy link
Member Author

sbesson commented Nov 5, 2014

--rebased-to #3171

@sbesson sbesson added this to the 5.1.0-m2 milestone Nov 26, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
develop
Projects
None yet
Milestone
5.1.0-m2
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@sbesson @ximenesuk @manics @joshmoore @jburel