geonode icon indicating copy to clipboard operation
geonode copied to clipboard

Published 20 hours ago verified publisher icon GeoNode

Issues with .env GEOSERVER_ADMIN_PASSWORD

Open khalifeserge opened this issue 3 years ago • 5 comments

Expected Behavior

Geoserver password should be updated to the value in GEOSERVER_ADMIN_PASSWORD

Actual Behavior

Geoserver password is not updated

Steps to Reproduce the Problem

in the .env file set GEOSERVER_ADMIN_USER=administrator GEOSERVER_ADMIN_PASSWORD=newpassword

start the stack with docker-build.sh the geoserver password is not updated

Specifications

  • GeoNode version: 3.2
  • Installation method (manual, GeoNode Docker, SPCGeoNode Docker): docker-build.sh
  • Platform: docker on ubuntu
  • Additional details:

I figured out the reason this is happening and would like to fix if you agree

in settings.py around line 978 the python variable OGC_SERVER_DEFAULT_USER is set to env variable GEOSERVER_ADMIN_USER

then is tasks.py under task "_geoserver_info_provision" OGC_SERVER_DEFAULT_USER is used to login to geoserver.

The code need to be updated to differentiate between current user and password and new user and password.

The spc version has code in the initialize.py that gets the old password but I think it might suffer from the same issue ( I have not investigated enough to be certain)

khalifeserge avatar May 14 '21 06:05 khalifeserge

yes please a PR is very welcome. By the way SPC is discontinued, so I would not put effort in it to fix it...

t-book avatar May 15 '21 10:05 t-book

I am getting ready to do a pull request to fix this issue and a few other all related to geoserver xml documents and I have a few questions / clarifications to ask from the devs:

  1. Is pavement.py only used for testing? some of the setup in this file are not mirrored in in tasks.py
  2. For editing the xml files is the preference still to use the cli sed method or to use the geoserver rest api?
  3. Is the OGC_SERVER_DEFAULT_PASSWORD and GEOSERVER_ADMIN_PASSWORD used by any of the shared library directly. If I try to use OGC_SERVER_DEFAULT_PASSWORD as the initial default password assigning it always 'geoserver' and 'GEOSERVER_ADMIN_PASSWORD' as the new password then things work and the password is changed but at some point during my testing and trying to understand the geonode code I started getting authentication errors that I was not sure how they got introduced.

thanks

khalifeserge avatar Jun 21 '21 19:06 khalifeserge

As @giohappy has summarized here: The geoserverfixture task is conceptually broken and there is no real path to fixing it - without knowing the current geoserver password, you can not update it. The only situation where this task runs without error is when GEOSERVER_ADMIN_PASSWORD equals the currently set geoserver password, in which case updating it has no effect.

This approach would work changing the password from the default but will then fail on consecutive runs (without effect if the password hasn't changed in the meantime). Equivalent to hardcoding geoserver here (because OGC_SERVER_DEFAULT_PASSWORD is replaced with GEOSERVER_ADMIN_PASSWORD when set).

IMHO it would be better to yank out the fixture in geonode and add the password update into the geoserver image, which already includes logic to set up oauth2 between geonode and geoserver. Setting the password from env directly in the geoserver config file would work regardless of previously set passwords.

As an aside, it is not immediately clear to me where geonode/geoserver actually comes from - geonode/project has its own Dockerfile which pulls a lot of project .env vars during build, and geonode/geoserver on dockerhub has no link to the source code (might be GeoNode/geoserver-docker but that has only 2.20.4 whereas dockerhub is on 2.20.5).

Duplicates:

  • GeoNode/geonode-project#332
  • GeoNode/geonode-project#172
  • GeoNode/geonode-project#209

jthurner avatar Aug 25 '22 09:08 jthurner

Looking at this again, maybe just fixing the current implementation to work once on init is better, and having to manually update geoserver on later password changes is fine (same as for databases).

I was also wrong thinking the oauth2 setup happens in the geoserver image - tasks.prepare() already meddles with the geoserver data dir, so it would also possible to overwrite the default user from there. I think the following should get the digest1 hash, but have not tried it:

hashlib.pbkdf2_hmac('sha256', b'GEOSERVER_ADMIN_PASSWORD', os.random(16),100000)

jthurner avatar Aug 26 '22 08:08 jthurner

I also think it is better for it to work once than not work at all. For a deployment of mine I set this two new variables:

GEOSERVER_DEFAULT_ADMIN_USER=admin
GEOSERVER_DEFAULT_ADMIN_PASSWORD=geoserver

and then used the other two to set the password. Of course I had to modify the source a little bit but the change is minor and it worked. #9911 would fix it

As a side note. I'm having a really hard time trying to make a "simple" installation of geonode with containers work.

categulario avatar Sep 06 '22 12:09 categulario