From: Bill Erickson Date: Thu, 11 May 2023 15:26:32 +0000 (-0400) Subject: Use redis default account instead of admin / avoid clobber X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=4db224ff2f698c0bd03fe2a3344672a706454b94;p=working%2FOpenSRF.git Use redis default account instead of admin / avoid clobber Signed-off-by: Bill Erickson --- diff --git a/.gitignore b/.gitignore index 216cb57..7203d9b 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ config.sub configure depcomp doc/dokuwiki-doc-stubber.pl -examples/redis-accounts.txt +examples/redis-accounts.example.txt examples/math_bench.pl examples/math_client.py examples/multisession-test.pl diff --git a/README b/README index 0e2601c..e7fbf6e 100644 --- a/README +++ b/README @@ -268,6 +268,7 @@ Updating the OpenSRF configuration files cd SYSCONFDIR cp opensrf_core.xml.example opensrf_core.xml cp opensrf.xml.example opensrf.xml +cp redis-accounts.example.txt redis-accounts.txt --------------------------------------------------------------------------- + 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username @@ -297,15 +298,14 @@ osrf_control --reset-message-bus + Accessing the Redis Command Line ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The script which creates Redis OpenSRF accounts also disables the -'default' (password-less) Redis account for security reasons. To access -the Redis command line with full privileges, use the 'admin' user and -associated password from the SYSCONFDIR/redis-accounts.txt file. For -example: +The script which creates Redis OpenSRF accounts also applies a password +to the 'default' Redis account for security. To access the Redis +command line with full privileges, use the password for the 'default' +user from the SYSCONFDIR/redis-accounts.txt file. For example: + [source,bash] --------------------------------------------------------------------------- -REDISCLI_AUTH=f0d2ebcc-5a52-49e4-a910-a515144b4141 redis-cli --user admin +REDISCLI_AUTH=f0d2ebcc-5a52-49e4-a910-a515144b4141 redis-cli --------------------------------------------------------------------------- Starting and stopping OpenSRF services diff --git a/bin/opensrf-perl.pl.in b/bin/opensrf-perl.pl.in index 86f8148..8e0115b 100755 --- a/bin/opensrf-perl.pl.in +++ b/bin/opensrf-perl.pl.in @@ -621,26 +621,45 @@ sub do_reset_message_bus { my $routers = $conf->bootstrap->routers; - my $admin_pass = `grep 'ACL SETUSER admin on >' $opt_bus_accounts | cut -d'>' -f2`; + my $bus_pass = `grep 'ACL SETUSER default on >' $opt_bus_accounts | cut -d'>' -f2`; - chomp($admin_pass); + chomp($bus_pass); - die "No password for Redis 'admin' account found in $opt_bus_accounts\n" - unless $admin_pass; + die "No password for Redis 'default' account found in $opt_bus_accounts\n" + unless $bus_pass; # Redis prefers the password be passed via ENV. - $ENV{REDISCLI_AUTH} = $admin_pass; + $ENV{REDISCLI_AUTH} = $bus_pass; # Apply the bus accounts to all of our domains. for my $router (@{$conf->bootstrap->routers}) { my $domain = ref $router ? $router->{domain} : $router; my $port = $conf->bootstrap->port; + # The first time this script runs after installing / rebooting Redis, + # the 'default' account will have no password. Subsequent logins + # will use the password defined in our redis-accounts file. See if + # we can figure where we are... + my $login = `echo "exit" | redis-cli -h $domain -p $port 2>&1`; + + if ($login =~ /AUTH failed/) { + # Login failed. Clear the password. + delete $ENV{REDISCLI_AUTH}; + } else { + # Multiple OpenSRF domains may run on the same Redis instance. + # If so, make sure subsequent runs on the same redis instance + # use the just-applied password. In this case, our $login + # var above will be empty, becuase Redis will think we are + # trying to login with no authentication, and will later fail + # when we try to perform actions that are not allowed. + $ENV{REDISCLI_AUTH} = $bus_pass; + } + msg("Resetting bus accounts for domain $domain"); # Grep out some noise. Avoid piping to /dev/null so we can # see failures. - my $command = "redis-cli --user admin -h $domain -p $port | grep -v OK | grep -v ^1"; + my $command = "redis-cli -h $domain -p $port | grep -v OK | grep -v ^1"; system("cat $opt_bus_accounts | $command"); } diff --git a/configure.ac b/configure.ac index b957aff..542ea75 100644 --- a/configure.ac +++ b/configure.ac @@ -56,17 +56,17 @@ AC_SUBST(bindir) OPENSRF_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) GATEWAY_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) ROUTER_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) -ADMIN_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) +DEFAULT_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) AC_DEFINE_UNQUOTED([OPENSRF_BUS_PASS], ["$OPENSRF_BUS_PASS"], [opensrf bus password]) AC_DEFINE_UNQUOTED([GATEWAY_BUS_PASS], ["$GATEWAY_BUS_PASS"], [gateway bus password]) AC_DEFINE_UNQUOTED([ROUTER_BUS_PASS], ["$ROUTER_BUS_PASS"], [router bus password]) -AC_DEFINE_UNQUOTED([ADMIN_BUS_PASS], ["$ADMIN_BUS_PASS"], [admin bus password]) +AC_DEFINE_UNQUOTED([DEFAULT_BUS_PASS], ["$DEFAULT_BUS_PASS"], [admin bus password]) AC_SUBST([OPENSRF_BUS_PASS]) AC_SUBST([GATEWAY_BUS_PASS]) AC_SUBST([ROUTER_BUS_PASS]) -AC_SUBST([ADMIN_BUS_PASS]) +AC_SUBST([DEFAULT_BUS_PASS]) #------------------------------- # Installation options @@ -336,7 +336,7 @@ if test "x$OSRF_INSTALL_CORE" = "xtrue"; then #------------------------------------ AC_CONFIG_FILES([doc/dokuwiki-doc-stubber.pl - examples/redis-accounts.txt + examples/redis-accounts.example.txt examples/math_bench.pl examples/multisession-test.pl src/c-apps/Makefile diff --git a/examples/redis-accounts.example.txt.in b/examples/redis-accounts.example.txt.in new file mode 100644 index 0000000..4d5a6e9 --- /dev/null +++ b/examples/redis-accounts.example.txt.in @@ -0,0 +1,31 @@ + +SET comment "opensrf clients can perform all opensrf-level actions" +SET COMMENT "opensrf accounts send requets to opensrf:router:* queues" +SET COMMENT "opensrf accounts send replies to opensrf:client:* queues" +SET COMMENT "opensrf accounts lpop requests from their opensrf:servivce: queue." +SET COMMENT "TODO: separate Listener vs Drone accounts to prevent Drones / standalone clients from accessing opensrf:service:*" + +ACL SETUSER opensrf reset +ACL SETUSER opensrf on >@OPENSRF_BUS_PASS@ +ACL SETUSER opensrf -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:* + +SET comment "routers lpop requests from their own opensrf:router:* queues" +SET comment "routers send requests to opensrf:service:* queues" +SET comment "routers send replies to opensrf:client:* queues" + +ACL SETUSER router reset +ACL SETUSER router on >@ROUTER_BUS_PASS@ +ACL SETUSER router -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:* + +SET comment "gateway accounts send request to opensrf:router:* queues" +SET comment "gateway accounts send subsequent, stateful requests to opensrf:client:* queues" + +ACL SETUSER gateway reset +ACL SETUSER gateway on >@GATEWAY_BUS_PASS@ +ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:* + +SET comment "default can do anything" +SET comment "set default password last so our logged-in account does not break mid-script" + +ACL SETUSER default resetpass +ACL SETUSER default on >@DEFAULT_BUS_PASS@ diff --git a/examples/redis-accounts.txt.in b/examples/redis-accounts.txt.in deleted file mode 100644 index a245528..0000000 --- a/examples/redis-accounts.txt.in +++ /dev/null @@ -1,39 +0,0 @@ - -SET comment "opensrf clients can perform all opensrf-level actions" -SET COMMENT "opensrf accounts send requets to opensrf:router:* queues" -SET COMMENT "opensrf accounts send replies to opensrf:client:* queues" -SET COMMENT "opensrf accounts lpop requests from their opensrf:servivce: queue." -SET COMMENT "TODO: separate Listener vs Drone accounts to prevent Drones / standalone clients from accessing opensrf:service:*" - -ACL SETUSER opensrf reset -ACL SETUSER opensrf on >@OPENSRF_BUS_PASS@ -ACL SETUSER opensrf -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:* - -SET comment "routers lpop requests from their own opensrf:router:* queues" -SET comment "routers send requests to opensrf:service:* queues" -SET comment "routers send replies to opensrf:client:* queues" - -ACL SETUSER router reset -ACL SETUSER router on >@ROUTER_BUS_PASS@ -ACL SETUSER router -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:* - -SET comment "gateway accounts send request to opensrf:router:* queues" -SET comment "gateway accounts send subsequent, stateful requests to opensrf:client:* queues" - -ACL SETUSER gateway reset -ACL SETUSER gateway on >@GATEWAY_BUS_PASS@ -ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:* - -SET comment "admin can do anything" -SET comment "avoid reseting admin since that would break the account mid-script" - -ACL SETUSER admin resetpass -ACL SETUSER admin on >@ADMIN_BUS_PASS@ -ACL SETUSER admin +@all ~* - -SET comment "disable the 'default' passwordless account" - -ACL SETUSER default off - -DEL comment - diff --git a/src/Makefile.am b/src/Makefile.am index 4ca5dea..8b9eb6b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -34,7 +34,7 @@ if BUILDCORE MAYBE_CORE = libopensrf c-apps srfsh gateway perl websocket-stdio dist_bin_SCRIPTS = @top_srcdir@/bin/opensrf-perl.pl bin_SCRIPTS = @top_srcdir@/bin/osrf_config -dist_sysconf_DATA = @top_srcdir@/examples/opensrf.xml.example @top_srcdir@/examples/opensrf_core.xml.example @top_srcdir@/examples/srfsh.xml.example @top_srcdir@/examples/redis-accounts.txt +dist_sysconf_DATA = @top_srcdir@/examples/opensrf.xml.example @top_srcdir@/examples/opensrf_core.xml.example @top_srcdir@/examples/srfsh.xml.example @top_srcdir@/examples/redis-accounts.example.txt endif SUBDIRS = $(MAYBE_CORE) $(MAYBE_PY) $(MAYBE_JA)