Security of the app

[ghnp5]

Hello,

1. This app requires that both CASSANDRA_USERNAME and CASSANDRA_PASSWORD are defined.
   This means that anyone accessing the URL of the webapp automatically has full access to the database.
   Not only that, it also means that the superuser's password is hardcoded in a file.

Would it be possible to not have to provide these environment variables, and instead have a Log In front page, where we can just enter the username and password?

2. The HTML assets are using absolute paths:

        <link href=/static/css/chunk-vendors.62e245e7.css rel=preload as=style>
        <link href=/static/css/index.9c79d7e1.css rel=preload as=style>
        <link href=/static/js/chunk-vendors.f1428dfc.js rel=preload as=script>
        <link href=/static/js/index.ab7d7262.js rel=preload as=script>
        <link href=/static/css/chunk-vendors.62e245e7.css rel=stylesheet>
        <link href=/static/css/index.9c79d7e1.css rel=stylesheet>

        <script src=/static/js/chunk-vendors.f1428dfc.js></script>
        <script src=/static/js/index.ab7d7262.js></script>

Is it possible to either make these "relative" paths (instead of absolute), or allow us to provide an environment variable that says what the "prefix" should be?

That way, we'd be able to set this webapp inside a subpath, e.g. admin.mydomain.com/cassandra-web/

Thank you very much

[kfrico]

Hello,

1. This app requires that both CASSANDRA_USERNAME and CASSANDRA_PASSWORD are defined.
   This means that anyone accessing the URL of the webapp automatically has full access to the database.
   Not only that, it also means that the superuser's password is hardcoded in a file.

Would it be possible to not have to provide these environment variables, and instead have a Log In front page, where we can just enter the username and password?

2. The HTML assets are using absolute paths:

        <link href=/static/css/chunk-vendors.62e245e7.css rel=preload as=style>
        <link href=/static/css/index.9c79d7e1.css rel=preload as=style>
        <link href=/static/js/chunk-vendors.f1428dfc.js rel=preload as=script>
        <link href=/static/js/index.ab7d7262.js rel=preload as=script>
        <link href=/static/css/chunk-vendors.62e245e7.css rel=stylesheet>
        <link href=/static/css/index.9c79d7e1.css rel=stylesheet>

        <script src=/static/js/chunk-vendors.f1428dfc.js></script>
        <script src=/static/js/index.ab7d7262.js></script>

Is it possible to either make these "relative" paths (instead of absolute), or allow us to provide an environment variable that says what the "prefix" should be?

That way, we'd be able to set this webapp inside a subpath, e.g. admin.mydomain.com/cassandra-web/

Thank you very much

Environment variables are not stored in files. If you need a login page, it is recommended to place a proxy in front of it. For example, you can use NGINX with basic authentication for a simple login mechanism.

[ghnp5]

Thank you for your response. I appreciate.

I do have Nginx with authentication, actually.

However,

1. I wanted to test logging in as a different Scylla user/role I created, to ensure the permissions are correct (in that it can only read the tables it was granted to), and the only way to do this was to change the env vars and restart the container.

2. Environment variables in Docker are stored either in the "docker-compose.yml" itself, or in a separate "db.env" file, which was the case.

3. Even if I stored them in a more secure way, I noticed that when I run ps aux, the username and password were there, because of the command this program runs.

There would be a lot more flexibility, and would be a lot more secure, if we could have a login page where we can login as the user/role we want.

That's how phpMyAdmin, adminer, and pretty much every other web UI for databases I know of, are.

Thank you very much.

[kfrico]

2. The HTML assets are using absolute paths:

commit v1.1.2 fix relative path