From eb757d18a825a27117528d67ce9d0cbbf30df3bf Mon Sep 17 00:00:00 2001 From: Vladislav Nikolov Date: Mon, 9 Sep 2024 23:21:42 +0300 Subject: [PATCH] GDB-10752 Add password hash for the security provisioner --- CHANGELOG.md | 3 ++- files/config/users.js | 2 +- templates/_helpers.tpl | 7 +++++++ values.yaml | 4 ++++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6aa4560..33d9c5b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,8 +10,9 @@ - Local backups support saving the GraphDB backup archives in volume from an existing persistent volume claim, configured with `backup.local` - Cloud backups support uploading the GraphDB backup archives in one of the supported cloud object storage services, configured - with `backup.cloud` - Added a new example under [examples/backup-local](examples/backup-local) showing how to use the local backup feature + with `backup.cloud` +- Added a new property - `security.provisioner.passwordHash` ### Fixed diff --git a/files/config/users.js b/files/config/users.js index d9e30566..65200050 100644 --- a/files/config/users.js +++ b/files/config/users.js @@ -16,7 +16,7 @@ {{- include "grahdb.security.extra-users.json" . | nindent 4 }} "{{ .Values.security.provisioner.username }}" : { "username" : "{{ .Values.security.provisioner.username }}", - "password" : "{bcrypt}{{ htpasswd .Values.security.provisioner.username .Values.security.provisioner.password | trimPrefix (printf "%s:" .Values.security.provisioner.username) }}", + "password" : {{ .Values.security.provisioner.passwordHash | default ( include "graphdb.security.provisioner.passwordHash" . ) | quote }}, "grantedAuthorities" : [ "ROLE_ADMIN" ], "appSettings" : { "DEFAULT_INFERENCE" : true, diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f856502a..1f69472c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -97,3 +97,10 @@ Converts custom users YAML to a pretty JSON for insertion in users.js {{- end -}} {{- end -}} {{- end -}} + +{{/* +Calculate provisoner's bcrypt-hashed password +*/}} +{{- define "graphdb.security.provisioner.passwordHash" -}} + {{- printf "{bcrypt}%s" ( htpasswd .Values.security.provisioner.username .Values.security.provisioner.password | trimPrefix (printf "%s:" .Values.security.provisioner.username)) -}} +{{- end -}} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 5cd01243..5ae6e5f4 100644 --- a/values.yaml +++ b/values.yaml @@ -258,6 +258,10 @@ security: # Note: The user is created regardless of if the existingSecret is provided or not. username: provisioner password: iHaveSuperpowers + # Define an initial password for the provisioner user as a bcrypt hash. + # If the password is not specified, it will use the default one specified in the provisioner.password. + # Important: This value must be a bcrypt encrypted hash, not a plaintext string. The format is "{bcrypt}" + passwordHash: "" # Reference to Secret with a basic authentication token of an existing user to use for provisioning tasks instead of the default user in the initial # user.js that is created using the plaintext username and password configurations from above. # Note that the user must already exist in GraphDB for this to work properly.