ckan-docker icon indicating copy to clipboard operation
ckan-docker copied to clipboard
verified publisher icon ckan

Docker Compose option to generate random passwords

Open kowh-ai opened this issue 2 years ago • 5 comments

Fixes: https://github.com/ckan/ckan-docker/issues/65

In the past passwords have been included in the .env file and therefore included as Docker Compose variables when building and running Docker images and containers

This PR includes a new option to generate randomised, secure passwords for the following users:

  • The Postgres system superuser POSTGRES_USER
  • The database user that owns the CKAN database CKAN_DB_USER
  • The database user that has read-access to the Datastore database DATASTORE_READONLY_USER
  • The CKAN application System Administrator user CKAN_SYSADMIN_NAME

These passwords are kept in a new file: .pw and added to env_file: in the Docker Compose yml file

The README has been updated with a new section on the steps involved for using this new option

I could include all the steps in the generate_passwords.sh script rather than have people explicitly overriding and saving files

Update: The random password generator will now be the default option. There will also be an option to opt-out so passwords will be referenced from the .env file. This option is how passwords were implemented previously

Also, other variables (secrets) will be included as well. These are as follows:

  • The beaker session secret CKAN___BEAKER__SESSION__SECRET
  • The api token encode secret CKAN___API_TOKEN__JWT__ENCODE__SECRET
  • The api token decode secret CKAN___API_TOKEN__JWT__DECODE__SECRET

kowh-ai avatar Aug 16 '23 09:08 kowh-ai

Also mentioned in the call -- Out of the box, this should use the random PWs. If someone wants to use old static passwords on new installs, they need to work at it.

EricSoroos avatar Aug 29 '23 13:08 EricSoroos

Thanks @EricSoroos for helping me here. I've pretty much got it all working with the new changes however I'm thinking it might be best to have one generated password file (locked down) to pass through to the ckan container and one to pass through to the db container...

kowh-ai avatar Sep 13 '23 08:09 kowh-ai

@kowh-ai I'm not sure if this is the best place to note this, so do tell me if there is another better, location:

If we are doing this work on random passwords, to bypass having passwords in .env files, perhaps it is worth exploring the docker solution for secrets, which works with docker compose:

https://docs.docker.com/compose/use-secrets/

pwalsh avatar Jan 30 '24 10:01 pwalsh

@pwalsh - I had gone through secrets in Docker documentation plus examples people had written about and thought you could only use secrets when you had set up Docker to run in swarm mode. I'm very interested in pursuing this

kowh-ai avatar Jan 31 '24 10:01 kowh-ai

@kowh-ai ok. I was sure it worked with compose, but must be my misreading. I was researching this for some of my own projects but have not implemented it yet.

pwalsh avatar Jan 31 '24 11:01 pwalsh