configure
depcomp
doc/dokuwiki-doc-stubber.pl
-examples/redis-accounts.txt
+examples/redis-accounts.example.txt
examples/math_bench.pl
examples/math_client.py
examples/multisession-test.pl
cd SYSCONFDIR
cp opensrf_core.xml.example opensrf_core.xml
cp opensrf.xml.example opensrf.xml
+cp redis-accounts.example.txt redis-accounts.txt
---------------------------------------------------------------------------
+
2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username
+
Accessing the Redis Command Line
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The script which creates Redis OpenSRF accounts also disables the
-'default' (password-less) Redis account for security reasons. To access
-the Redis command line with full privileges, use the 'admin' user and
-associated password from the SYSCONFDIR/redis-accounts.txt file. For
-example:
+The script which creates Redis OpenSRF accounts also applies a password
+to the 'default' Redis account for security. To access the Redis
+command line with full privileges, use the password for the 'default'
+user from the SYSCONFDIR/redis-accounts.txt file. For example:
+
[source,bash]
---------------------------------------------------------------------------
-REDISCLI_AUTH=f0d2ebcc-5a52-49e4-a910-a515144b4141 redis-cli --user admin
+REDISCLI_AUTH=f0d2ebcc-5a52-49e4-a910-a515144b4141 redis-cli
---------------------------------------------------------------------------
Starting and stopping OpenSRF services
my $routers = $conf->bootstrap->routers;
- my $admin_pass = `grep 'ACL SETUSER admin on >' $opt_bus_accounts | cut -d'>' -f2`;
+ my $bus_pass = `grep 'ACL SETUSER default on >' $opt_bus_accounts | cut -d'>' -f2`;
- chomp($admin_pass);
+ chomp($bus_pass);
- die "No password for Redis 'admin' account found in $opt_bus_accounts\n"
- unless $admin_pass;
+ die "No password for Redis 'default' account found in $opt_bus_accounts\n"
+ unless $bus_pass;
# Redis prefers the password be passed via ENV.
- $ENV{REDISCLI_AUTH} = $admin_pass;
+ $ENV{REDISCLI_AUTH} = $bus_pass;
# Apply the bus accounts to all of our domains.
for my $router (@{$conf->bootstrap->routers}) {
my $domain = ref $router ? $router->{domain} : $router;
my $port = $conf->bootstrap->port;
+ # The first time this script runs after installing / rebooting Redis,
+ # the 'default' account will have no password. Subsequent logins
+ # will use the password defined in our redis-accounts file. See if
+ # we can figure where we are...
+ my $login = `echo "exit" | redis-cli -h $domain -p $port 2>&1`;
+
+ if ($login =~ /AUTH failed/) {
+ # Login failed. Clear the password.
+ delete $ENV{REDISCLI_AUTH};
+ } else {
+ # Multiple OpenSRF domains may run on the same Redis instance.
+ # If so, make sure subsequent runs on the same redis instance
+ # use the just-applied password. In this case, our $login
+ # var above will be empty, becuase Redis will think we are
+ # trying to login with no authentication, and will later fail
+ # when we try to perform actions that are not allowed.
+ $ENV{REDISCLI_AUTH} = $bus_pass;
+ }
+
msg("Resetting bus accounts for domain $domain");
# Grep out some noise. Avoid piping to /dev/null so we can
# see failures.
- my $command = "redis-cli --user admin -h $domain -p $port | grep -v OK | grep -v ^1";
+ my $command = "redis-cli -h $domain -p $port | grep -v OK | grep -v ^1";
system("cat $opt_bus_accounts | $command");
}
OPENSRF_BUS_PASS=$(cat /proc/sys/kernel/random/uuid)
GATEWAY_BUS_PASS=$(cat /proc/sys/kernel/random/uuid)
ROUTER_BUS_PASS=$(cat /proc/sys/kernel/random/uuid)
-ADMIN_BUS_PASS=$(cat /proc/sys/kernel/random/uuid)
+DEFAULT_BUS_PASS=$(cat /proc/sys/kernel/random/uuid)
AC_DEFINE_UNQUOTED([OPENSRF_BUS_PASS], ["$OPENSRF_BUS_PASS"], [opensrf bus password])
AC_DEFINE_UNQUOTED([GATEWAY_BUS_PASS], ["$GATEWAY_BUS_PASS"], [gateway bus password])
AC_DEFINE_UNQUOTED([ROUTER_BUS_PASS], ["$ROUTER_BUS_PASS"], [router bus password])
-AC_DEFINE_UNQUOTED([ADMIN_BUS_PASS], ["$ADMIN_BUS_PASS"], [admin bus password])
+AC_DEFINE_UNQUOTED([DEFAULT_BUS_PASS], ["$DEFAULT_BUS_PASS"], [admin bus password])
AC_SUBST([OPENSRF_BUS_PASS])
AC_SUBST([GATEWAY_BUS_PASS])
AC_SUBST([ROUTER_BUS_PASS])
-AC_SUBST([ADMIN_BUS_PASS])
+AC_SUBST([DEFAULT_BUS_PASS])
#-------------------------------
# Installation options
#------------------------------------
AC_CONFIG_FILES([doc/dokuwiki-doc-stubber.pl
- examples/redis-accounts.txt
+ examples/redis-accounts.example.txt
examples/math_bench.pl
examples/multisession-test.pl
src/c-apps/Makefile
--- /dev/null
+
+SET comment "opensrf clients can perform all opensrf-level actions"
+SET COMMENT "opensrf accounts send requets to opensrf:router:* queues"
+SET COMMENT "opensrf accounts send replies to opensrf:client:* queues"
+SET COMMENT "opensrf accounts lpop requests from their opensrf:servivce: queue."
+SET COMMENT "TODO: separate Listener vs Drone accounts to prevent Drones / standalone clients from accessing opensrf:service:*"
+
+ACL SETUSER opensrf reset
+ACL SETUSER opensrf on >@OPENSRF_BUS_PASS@
+ACL SETUSER opensrf -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:*
+
+SET comment "routers lpop requests from their own opensrf:router:* queues"
+SET comment "routers send requests to opensrf:service:* queues"
+SET comment "routers send replies to opensrf:client:* queues"
+
+ACL SETUSER router reset
+ACL SETUSER router on >@ROUTER_BUS_PASS@
+ACL SETUSER router -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:*
+
+SET comment "gateway accounts send request to opensrf:router:* queues"
+SET comment "gateway accounts send subsequent, stateful requests to opensrf:client:* queues"
+
+ACL SETUSER gateway reset
+ACL SETUSER gateway on >@GATEWAY_BUS_PASS@
+ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:*
+
+SET comment "default can do anything"
+SET comment "set default password last so our logged-in account does not break mid-script"
+
+ACL SETUSER default resetpass
+ACL SETUSER default on >@DEFAULT_BUS_PASS@
+++ /dev/null
-
-SET comment "opensrf clients can perform all opensrf-level actions"
-SET COMMENT "opensrf accounts send requets to opensrf:router:* queues"
-SET COMMENT "opensrf accounts send replies to opensrf:client:* queues"
-SET COMMENT "opensrf accounts lpop requests from their opensrf:servivce: queue."
-SET COMMENT "TODO: separate Listener vs Drone accounts to prevent Drones / standalone clients from accessing opensrf:service:*"
-
-ACL SETUSER opensrf reset
-ACL SETUSER opensrf on >@OPENSRF_BUS_PASS@
-ACL SETUSER opensrf -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:*
-
-SET comment "routers lpop requests from their own opensrf:router:* queues"
-SET comment "routers send requests to opensrf:service:* queues"
-SET comment "routers send replies to opensrf:client:* queues"
-
-ACL SETUSER router reset
-ACL SETUSER router on >@ROUTER_BUS_PASS@
-ACL SETUSER router -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:*
-
-SET comment "gateway accounts send request to opensrf:router:* queues"
-SET comment "gateway accounts send subsequent, stateful requests to opensrf:client:* queues"
-
-ACL SETUSER gateway reset
-ACL SETUSER gateway on >@GATEWAY_BUS_PASS@
-ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:*
-
-SET comment "admin can do anything"
-SET comment "avoid reseting admin since that would break the account mid-script"
-
-ACL SETUSER admin resetpass
-ACL SETUSER admin on >@ADMIN_BUS_PASS@
-ACL SETUSER admin +@all ~*
-
-SET comment "disable the 'default' passwordless account"
-
-ACL SETUSER default off
-
-DEL comment
-
MAYBE_CORE = libopensrf c-apps srfsh gateway perl websocket-stdio
dist_bin_SCRIPTS = @top_srcdir@/bin/opensrf-perl.pl
bin_SCRIPTS = @top_srcdir@/bin/osrf_config
-dist_sysconf_DATA = @top_srcdir@/examples/opensrf.xml.example @top_srcdir@/examples/opensrf_core.xml.example @top_srcdir@/examples/srfsh.xml.example @top_srcdir@/examples/redis-accounts.txt
+dist_sysconf_DATA = @top_srcdir@/examples/opensrf.xml.example @top_srcdir@/examples/opensrf_core.xml.example @top_srcdir@/examples/srfsh.xml.example @top_srcdir@/examples/redis-accounts.example.txt
endif
SUBDIRS = $(MAYBE_CORE) $(MAYBE_PY) $(MAYBE_JA)
projects / working / OpenSRF.git / commitdiff