Skip to content

Ispn 8062/accept or generate password #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 21, 2017
Merged

Ispn 8062/accept or generate password #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cd6ea54
[ISPN-7816] Remove default APP and MGMT user/pass
galderz May 10, 2017
190161b
[ISPN-7816] Add documentation and examples
galderz May 11, 2017
e3580bc
[ISPN-7817] Add APP_ROLES env variable
galderz May 11, 2017
014c776
ISPN-8062 Autogenerate user and password
slaskawi Jul 14, 2017
123abcc
ISPN-8062 Enforce management user/password for domain mode
slaskawi Jul 21, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
.idea
*.iml
2 changes: 1 addition & 1 deletion ci/ci_check.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ function build_images {

function start_server {
echo "==== Starting the server ===="
SERVER_CONTAINER_ID=`sudo docker run -d --name infinispan-server-ci infinispan-server -Djboss.default.jgroups.stack=tcp`
SERVER_CONTAINER_ID=`sudo docker run -d --name infinispan-server-ci -e "APP_USER=user" -e "APP_PASS=changeme" infinispan-server -Djboss.default.jgroups.stack=tcp`
if [ -z "$SERVER_CONTAINER_ID" ]; then
echo "Could not create the container"
exit 1
Expand Down
19 changes: 18 additions & 1 deletion ci/ci_openshift.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,10 @@ function add_building_permission {

function create_application {
echo "==== Creating Infinispan application ===="
./oc new-app $OPENSHIFT_COMPONENT_NAME --docker-image="$IMAGE_INSIDE_OPENSHIFT"
./oc new-app $OPENSHIFT_COMPONENT_NAME \
--docker-image="$IMAGE_INSIDE_OPENSHIFT" \
-e "APP_USER=user" \
-e "APP_PASS=changeme"
wait_for_ispn
}

Expand All @@ -72,6 +75,19 @@ function perform_test_via_rest {
fi
}

function perform_negative_test_via_rest {
echo "==== Performing negative REST test ===="
ISPN_IP=`./oc describe svc/$OPENSHIFT_COMPONENT_NAME | grep IP: | awk '{print $2}'`
CODE_RETURNED=$(curl -s -o /dev/null -H 'Accept: text/plain' -w "%{http_code}" http://$ISPN_IP:8080/rest/default/1)
if [ $CODE_RETURNED == '401' ]; then
echo "REST test Passed"
TEST_RESULT=0
else
echo "REST test Failed. REST server returned $CODE_RETURNED but was expected 401"
TEST_RESULT=1
fi
}

function login_as_admin {
echo "==== Logging in as admin ===="
./oc login -u system:admin
Expand Down Expand Up @@ -114,5 +130,6 @@ build_images
create_application
expose_route
perform_test_via_rest
perform_negative_test_via_rest

exit $TEST_RESULT
7 changes: 0 additions & 7 deletions server/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,6 @@ ENV INFINISPAN_SERVER_HOME /opt/jboss/infinispan-server

# Set the INFINISPAN_VERSION env variable
ENV INFINISPAN_VERSION 9.1.0.CR1
ENV MGMT_USER admin

ENV MGMT_PASS admin

ENV APP_USER user

ENV APP_PASS changeme

# Ensure signals are forwarded to the JVM process correctly for graceful shutdown
ENV LAUNCH_JBOSS_IN_BACKGROUND true
Expand Down
71 changes: 60 additions & 11 deletions server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,59 @@
# Infinispan server Docker image

## Configuring authentication

To be able to connect to any of the Infinispan server Docker images, authentication is necessary.
The easiest way to create a new user (with specified password) before starting the server is to specify `APP_USER`
and `APP_PASS` environment variables or pass `-au` (for user name) and `-ap` (for password) switches.

Optionally, `APP_ROLES` environment variable (or `-ar` switch) can be passed in which provides specific security roles
to be associated with the user. The value of this environment variable is expected to be a comma-separated
list of roles for the user.

The management console exposed by the Infinispan server Docker images also requires authentication.
In this case, to be able to access the console, `MGMT_USER` and `MGMT_PASS` environment variables
(or `-mu` and `-mp` equivalents) need to be provided. Even if not accessing the console,
these environment properties are required if creating a cluster in the domain mode.

If no application and/or management user and password is specified, the image will generate a new one. A newly
generated user/password pair will be displayed on the console before the starts up.

Here are some examples on how environment variables can be provided depending on the chosen method to start the image.

Docker run example with environmental variables:

docker run ... -e "APP_USER=user" -e "APP_PASS=changeme" jboss/infinispan-server

Docker run example with switches:

docker run ... jboss/infinispan-server -au "user" -ap "changeme"

Dockerfile example:

ENV APP_USER user
ENV APP_PASS changeme

Kubernetes yaml example:

spec:
containers:
- args:
image: jboss/infinispan-server:...
...
env:
- name: APP_USER
value: "user"
- name: APP_PASS
value: "changeme"

OpenShift client example:

oc new-app ... -e "APP_USER=user" -e "APP_PASS=changeme" ...

Finally, it's possible to add more fine grained credentials by invoking `add-user` command once the image has started up:

docker exec -it $(docker ps -l -q) /opt/jboss/infinispan-server/bin/add-user.sh

## Starting in clustered mode

Run one or more:
Expand Down Expand Up @@ -42,28 +96,23 @@ The first param to the container is the name of the desired configuration. For e

docker run -it jboss/infinispan-server cloud -Djboss.default.jgroups.stack=google -Djgroups.google.bucket=... -Djgroups.google.access_key=...

## Configuring authentication

The 'default' and 'standalone' running modes don't not have credentials set. In order to define them, run after launching the container:

docker exec -it $(docker ps -l -q) /opt/jboss/infinispan-server/bin/add-user.sh

and follow the instructions.

## Running domain mode

Domain mode is composed of a lightweight managing process that does not hold data called domain controller plus one or more
Copy link
Contributor

@gustavocoding gustavocoding Jul 20, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running domain mode without setting a password now gives an exception:

[Host Controller] Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[12,21]
[Host Controller] Message: "WFLYCTL0113: '' is an invalid value for parameter value. Values must have a minimum length of 1 characters"
[Host Controller]       at org.jboss.as.controller.SimpleAttributeDefinition.parse(SimpleAttributeDefinition.java:161)
[Host Controller]       at org.jboss.as.controller.SimpleAttributeDefinition.parseAndSetParameter(SimpleAttributeDefinition.java:186)
[Host Controller]       at org.jboss.as.domain.management.parsing.ManagementXml_4.parseSecret(ManagementXml_4.java:528)
[Host Controller]       at org.jboss.as.domain.management.parsing.ManagementXml_4.parseServerIdentities(ManagementXml_4.java:503)
[Host Controller]       at org.jboss.as.domain.management.parsing.ManagementXml_4.parseSecurityRealm(ManagementXml_4.java:453)
[Host Controller]       at org.jboss.as.domain.management.parsing.ManagementXml_4.parseSecurityRealms(ManagementXml_4.java:421)
[Host Controller]       at org.jboss.as.domain.management.parsing.ManagementXml_4.parseManagement(ManagementXml_4.java:176)

We should:

  1. Make mandatory setting -e "MGMT_USER=...." -e "MGMT_PASS=..." when using domain mode (and don't use auto-generation, nor print the banner)
  2. Mention in this section that both the domain-controller AND the host-controller must be started with the MGMT_USER and MGMT_PASS variables

host controllers co-located with the Infinispan Server nodes. To run the domain controller:

docker run --name=dc -it jboss/infinispan-server domain-controller
docker run --name=dc -it jboss/infinispan-server domain-controller -mu user -mp password

And then each host controller can be started as:

docker run --link dc:dc -it jboss/infinispan-server host-controller
docker run --link dc:dc -it jboss/infinispan-server host-controller -mu user -mp password

Specifying management user and password is required for operating the domain mode.

### Acessing the Server Management Console

The Server Management Console listens on the domain controller on port 9990. Credentials are admin/admin.
The Server Management Console listens on the domain controller on port 9990.
To be able to access the console, credentials need to be provided (see above).

## Source to image (S2I)

Expand Down
179 changes: 163 additions & 16 deletions server/docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@

# S2I build scripts do not override Docker Entrypoints (see https://github.com/openshift/source-to-image/issues/475#issuecomment-215891632),
# thus we need to check whether or not we are running a build or a standard container.
echo "Entry point arguments: $@"
# This line is commented intentionally, it is very useful for debugging.
# echo "Entry point arguments: $@"
if [[ $@ == *"/usr/local/s2i/bin/assemble"* ]]
then
echo "---> Performing S2I build... Skipping server startup"
Expand All @@ -12,12 +13,124 @@ fi

set -e

is_not_empty() {
local var=$1
[[ -n $var ]]
}

generate_user_or_password() {
echo $(tr -cd '[:alnum:]' < /dev/urandom | fold -w10 | head -n1)
}

addMgmtUser() {
$SERVER/bin/add-user.sh -u $MGMT_USER -p $MGMT_PASS
local usr=$MGMT_USER
local pass=$MGMT_PASS

if is_not_empty $usr && is_not_empty $pass; then
$SERVER/bin/add-user.sh -u $usr -p $pass
else
usr=$(generate_user_or_password)
pass=$(generate_user_or_password)
echo "######################################################################################"
echo "# Using domain mode but no management user and/or password provided. #"
echo "# Management user and password has been generated. #"
echo "# Management user: $usr #"
echo "# Management password: $pass #"
echo "# #"
echo "# You can provide management user and password details via environment variables. #"
echo "# #"
echo "# Docker run example: #"
echo "# docker run ... -e \"MGMT_USER=user\" -e \"MGMT_PASS=changeme\" ... #"
echo "# #"
echo "# Dockerfile example: #"
echo "# ENV MGMT_USER admin #"
echo "# ENV MGMT_PASS admin #"
echo "# #"
echo "# Kubernetes Example: #"
echo "# spec: #"
echo "# containers: #"
echo "# - args: #"
echo "# image: jboss/infinispan-server:... #"
echo "# ... #"
echo "# env: #"
echo "# - name: MGMT_USER #"
echo "# value: admin #"
echo "# - name: MGMT_PASS #"
echo "# value: admin #"
echo "# #"
echo "# OpenShift client example: #"
echo "# oc new-app ... -e MGMT_USER=user -e MGMT_PASS=changeme ... #"
echo "######################################################################################"
Copy link
Contributor

@gustavocoding gustavocoding Jul 20, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we skip the Dockerfile example, Kubernetes Example and Openshift client example from this banner?
The banner is printed 2x if I don't specify the passowrd and it seemed too verbose for me.

Copy link
Contributor Author

@slaskawi slaskawi Jul 21, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually left it as is. I think it has some value. Besides we can remove it whenever we want without breaking any backwards compatibility.

Let's also ask original author, @galderz, what to do with that.

Copy link
Collaborator

@galderz galderz Jul 26, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine either way. I thought it could be useful, but happy to remove it if its too noisy/big.

$SERVER/bin/add-user.sh -u $usr -p $pass
fi
}

addAppUser() {
$SERVER/bin/add-user.sh -a -u $APP_USER -p $APP_PASS
local usr=$APP_USER
local pass=$APP_PASS
local roles=$APP_ROLES

if is_not_empty $usr && is_not_empty $pass; then
if is_not_empty $roles; then
$SERVER/bin/add-user.sh -a -u $usr -p $pass -g $roles
else
$SERVER/bin/add-user.sh -a -u $usr -p $pass
fi
else
usr=$(generate_user_or_password)
pass=$(generate_user_or_password)
echo "######################################################################################"
echo "# No application user and/or password provided. #"
echo "# Application user and password has been generated. #"
echo "# Application user: $usr #"
echo "# Application password: $pass #"
echo "# #"
echo "# You can provide application user and password details via environment variables. #"
echo "# #"
echo "# Docker run example: #"
echo "# docker run ... -e APP_USER=user -e APP_PASS=changeme #"
echo "# #"
echo "# Dockerfile example: #"
echo "# ENV APP_USER user #"
echo "# ENV APP_PASS changeme #"
echo "# #"
echo "# Kubernetes example: #"
echo "# spec: #"
echo "# containers: #"
echo "# - args: #"
echo "# image: jboss/infinispan-server:... #"
echo "# ... #"
echo "# env: #"
echo "# - name: APP_USER #"
echo "# value: user #"
echo "# - name: APP_PASS #"
echo "# value: changeme #"
echo "# #"
echo "# OpenShift client example: #"
echo "# oc new-app ... -e APP_USER=user -e APP_PASS=changeme ... #"
echo "######################################################################################"
$SERVER/bin/add-user.sh -a -u $usr -p $pass
fi
}

checkIfUserExistsForDomainMode() {
local usr=$MGMT_USER
local pass=$MGMT_PASS

if [ "$RUN_TYPE" != "STANDALONE" ]
then
if [ "x$usr" = "x" ]
then
echo "Specifying management user is required for domain mode"
exit 1
fi

if [ "x$pass" = "x" ]
then
echo "Specifying management password is required for domain mode"
exit 1
fi
fi
}

# Based on https://github.com/fabric8io-images/run-java-sh/blob/master/fish-pepper/run-java-sh/fp-files/container-limits
Expand Down Expand Up @@ -72,11 +185,9 @@ SERVER_CONFIGURATION="clustered.xml"
JAVA_OPTS="-Xms64m -Djava.net.preferIPv4Stack=true"
PERCENT_OF_MEMORY_FOR_MX=70

addAppUser

for i in "$@"
do
case $i in
case $1 in
domain-controller)
RUN_TYPE='DOMAIN_CONTROLLER'
shift
Expand All @@ -98,6 +209,10 @@ case $i in
echo "# docker-entrypoint.sh host-controller [-n|--no-container-settings] [other options] #"
echo "# Starts a default standalone Server #"
echo "# -n|--no-container-settings omits memory and CPU settings for container mode #"
echo "# docker-entrypoint.sh -ap pass -au user [-ar roles] [other options] #"
echo "# Creates application user with specified password and roles #"
echo "# docker-entrypoint.sh -mp pass -mu user [other options] #"
echo "# Creates management user with specified password #"
echo "# #"
echo "# Examples: #"
echo "# docker-entrypoint.sh -c clustered.xml -Djboss.default.jgroups.stack=kubernetes #"
Expand All @@ -111,27 +226,60 @@ case $i in
CONTAINER_SETTINGS="false"
shift
;;
-au|--application-user)
shift
APP_USER="$1"
shift
;;
-ap|--application-password)
shift
APP_PASS="$1"
shift
;;
-ar|--application-roles)
shift
APP_ROLES="$1"
shift
;;
-mu|--management-user)
shift
MGMT_USER="$1"
shift
;;
-mp|--management-password)
shift
MGMT_PASS="$1"
shift
;;
-c)
# -c configuration.xml, so we need to shift the -c
shift
SERVER_OPTIONS="-c $1"
# -c configuration.xml, so we need to shift the -c
shift
SERVER_OPTIONS="-c $1"
shift
;;
*)
if [ -f "$SERVER/standalone/configuration/$i.xml" ]
then
SERVER_CONFIGURATION="$i.xml"
elif [ -f "$SERVER/standalone/configuration/$i" ]
if [ -z "$1" ]
then
SERVER_CONFIGURATION="$i"
break
else
SERVER_OPTIONS="$SERVER_OPTIONS $i"
if [ -f "$SERVER/standalone/configuration/$1.xml" ]
then
SERVER_CONFIGURATION="$1.xml"
elif [ -f "$SERVER/standalone/configuration/$1" ]
then
SERVER_CONFIGURATION="$1"
else
SERVER_OPTIONS="$SERVER_OPTIONS $1"
fi
fi
shift
;;
esac
done

checkIfUserExistsForDomainMode
addAppUser
addMgmtUser

if [ "$CONTAINER_SETTINGS" == "true" ]
then
Expand All @@ -157,7 +305,6 @@ fi

if [ "$RUN_TYPE" = "DOMAIN_CONTROLLER" ]
then
addMgmtUser
LAUNCHER=$SERVER/bin/domain.sh
exec $LAUNCHER --host-config host-master.xml $BIND_OPTS $SERVER_OPTIONS
elif [ "$RUN_TYPE" == "HOST_CONTROLLER" ]
Expand Down