oneterm
oneterm copied to clipboard
veops
[Bug]: Hardcoded DB credentials in settings.py ignore env vars and break Docker setup
Contact Details
This bug is related to UI or API?
API
What happened?
After changing the default database password from 123456 to something else, I started seeing errors in oneterm-acl-api and oneterm-api failed to start.
I spent a full day debugging why acl-api in Docker-Compose would always fail with:
OperationalError: (1045, "Access denied for user 'acl'@'172.30.0.5'")
— even after correctly setting DB_USER, DB_PASSWORD, etc. in environment: and/or env_file:.
Turns out settings.py has its SQLAlchemy URIs hardcoded as:
SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://acl:123456@mysql:3306/acl?charset=utf8' SQLALCHEMY_BINDS = { "user": 'mysql+pymysql://acl:123456@mysql:3306/acl?charset=utf8' }
so all incoming DB_* or SQLALCHEMY_DATABASE_URI environment variables are simply ignored.
Environment-based configuration (DB_HOST, DB_PASSWORD, SQLALCHEMY_DATABASE_URI) should override any defaults in settings.py.
Following the “Docker one-click” guide and injecting credentials via env_file: or environment: should work out of the box.
Steps to reproduce 1.Clone the repo. 2.In docker-compose.yaml, config.yaml and create-users.sql, replace the default password 123456 with a new value. 3.Run docker-compose up -d following the documented flow. 4.Observe that oneterm-acl-api fails with an Access Denied (1045) error and oneterm-api never becomes healthy.
Version
newest
What browsers are you seeing the problem on?
No response
Relevant log output
oneterm-acl-api:
sqlalchemy.exc.OperationalError: (pymysql.err.OperationalError) (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
(Background on this error at: https://sqlalche.me/e/14/e3q8)
[2025-08-06 19:38:19,265] ERROR in click_common_setting: init 全公司 err:
2025-08-06 19:38:19,265 ERROR /data/apps/acl/api/commands/click_common_setting.py 122 - init 全公司 err:
[2025-08-06 19:38:19,266] ERROR in click_common_setting: (pymysql.err.OperationalError) (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
(Background on this error at: https://sqlalche.me/e/14/e3q8)
2025-08-06 19:38:19,266 ERROR /data/apps/acl/api/commands/click_common_setting.py 123 - (pymysql.err.OperationalError) (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
(Background on this error at: https://sqlalche.me/e/14/e3q8)
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 3371, in _wrap_pool_connect
return fn()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 327, in connect
return _ConnectionFairy._checkout(self)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 894, in _checkout
fairy = _ConnectionRecord.checkout(pool)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 493, in checkout
rec = pool._do_get()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/impl.py", line 146, in _do_get
self._dec_overflow()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/langhelpers.py", line 70, in __exit__
compat.raise_(
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 211, in raise_
raise exception
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/impl.py", line 143, in _do_get
return self._create_connection()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 273, in _create_connection
return _ConnectionRecord(self)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 388, in __init__
self.__connect()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 691, in __connect
pool.logger.debug("Error on connect(): %s", e)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/langhelpers.py", line 70, in __exit__
compat.raise_(
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 211, in raise_
raise exception
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 686, in __connect
self.dbapi_connection = connection = pool._invoke_creator(self)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/engine/create.py", line 574, in connect
return dialect.connect(*cargs, **cparams)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 598, in connect
return self.dbapi.connect(*cargs, **cparams)
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 358, in __init__
self.connect()
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 664, in connect
self._request_authentication()
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 976, in _request_authentication
auth_packet = _auth.caching_sha2_password_auth(self, auth_packet)
File "/usr/local/lib/python3.8/site-packages/pymysql/_auth.py", line 267, in caching_sha2_password_auth
pkt = _roundtrip(conn, data)
File "/usr/local/lib/python3.8/site-packages/pymysql/_auth.py", line 120, in _roundtrip
pkt = conn._read_packet()
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 772, in _read_packet
packet.raise_for_error()
File "/usr/local/lib/python3.8/site-packages/pymysql/protocol.py", line 221, in raise_for_error
err.raise_mysql_exception(self._data)
File "/usr/local/lib/python3.8/site-packages/pymysql/err.py", line 143, in raise_mysql_exception
raise errorclass(errno, errval)
pymysql.err.OperationalError: (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
oneterm-api:
2025-08-06 19:39:19.996 fatal get resource type failed {"error": "(pymysql.err.OperationalError) (1045, \"Access denied for user 'acl'@'172.30.0.5' (using password: YES)\")\n(Background on this error at: https://sqlalche.me/e/14/e3q8)"}
Available clients: redis-cli, mysql/mariadb, psql, mongo/mongosh
2025-08-06 19:39:38.105 info Starting scheduler with configuration {"connectable_check_interval": 1800, "config_update_interval": 300, "batch_size": 50, "concurrent_workers": 10}
2025-08-06 19:39:38.323 info Starting V1 to V2 authorization migration
2025-08-06 19:39:38.324 info Migration already completed, skipping
2025-08-06 19:39:38.324 info Starting node authorization V1 to V2 migration
2025-08-06 19:39:38.325 info Found nodes for migration {"count": 0}
2025-08-06 19:39:38.325 info Node authorization migration completed {"migratedCount": 0, "totalNodes": 0}
2025-08-06 19:39:38.325 info Starting initialization of predefined dangerous commands
2025-08-06 19:39:38.326 debug Predefined command already exists, skipping {"name": "Delete root directory"}
2025-08-06 19:39:38.327 debug Predefined command already exists, skipping {"name": "Delete system directories"}
2025-08-06 19:39:38.328 debug Predefined command already exists, skipping {"name": "Disk destruction operations"}
2025-08-06 19:39:38.329 debug Predefined command already exists, skipping {"name": "Format disk"}
2025-08-06 19:39:38.329 debug Predefined command already exists, skipping {"name": "Fork bomb"}
2025-08-06 19:39:38.330 debug Predefined command already exists, skipping {"name": "System reboot shutdown"}
2025-08-06 19:39:38.331 debug Predefined command already exists, skipping {"name": "Modify critical system files"}
2025-08-06 19:39:38.332 debug Predefined command already exists, skipping {"name": "Drop database"}
2025-08-06 19:39:38.333 debug Predefined command already exists, skipping {"name": "Truncate table data"}
2025-08-06 19:39:38.334 debug Predefined command already exists, skipping {"name": "Modify user permissions"}
2025-08-06 19:39:38.335 debug Predefined command already exists, skipping {"name": "Drop table"}
2025-08-06 19:39:38.336 debug Predefined command already exists, skipping {"name": "Service control commands"}
2025-08-06 19:39:38.337 debug Predefined command already exists, skipping {"name": "Network configuration modification"}
2025-08-06 19:39:38.338 debug Predefined command already exists, skipping {"name": "User management"}
2025-08-06 19:39:38.338 debug Predefined command already exists, skipping {"name": "Kernel module operations"}
2025-08-06 19:39:38.339 debug Predefined template already exists, skipping {"name": "Basic Security Protection"}
2025-08-06 19:39:38.340 debug Predefined template already exists, skipping {"name": "Production Database Protection"}
2025-08-06 19:39:38.341 debug Predefined template already exists, skipping {"name": "System Service Control Restrictions"}
2025-08-06 19:39:38.341 debug Predefined template already exists, skipping {"name": "Network Security Control"}
2025-08-06 19:39:38.342 debug Predefined template already exists, skipping {"name": "Development Environment Basic Restrictions"}
2025-08-06 19:39:38.342 info Predefined dangerous commands initialization completed successfully
2025-08-06 19:39:38.356 error github.com/veops/oneterm/pkg/remote.GetAclToken failed {"url": "http://acl-api:5000/api/v1/acl/apps/token", "req": "{\"app_id\":\"5867e079dfd1437e9ae07576ab24b391\",\"secret_key\":\"65d34ec2a5e42add26741a7b487020a8\"}", "resp": "{\n \"message\": \"(pymysql.err.OperationalError) (1045, \\\"Access denied for user 'acl'@'172.30.0.5' (using password: YES)\\\")\\n(Background on this error at: https://sqlalche.me/e/14/e3q8)\"\n}"}
2025-08-06 19:39:38.356 fatal get resource type failed {"error": "(pymysql.err.OperationalError) (1045, \"Access denied for user 'acl'@'172.30.0.5' (using password: YES)\")\n(Background on this error at: https://sqlalche.me/e/14/e3q8)"}
This doesn't seem to be an issue with this repository; it is recommended to submit an issue in the corresponding repository.
https://github.com/veops/acl
- Pull latest code from repository
- Run
cd deploy; ./migrate-passwords.shto change database passwords for existing installations - The script will safely update all configuration files and restart services
