From: Bill Erickson <berickxx@gmail.com>
Date: Thu, 11 May 2023 15:03:51 +0000 (-0400)
Subject: Bus reset uses admin account; disable default
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=a7bc239523aa7bf767fcd143755951da63a42c70;p=working%2FOpenSRF.git

Bus reset uses admin account; disable default

Signed-off-by: Bill Erickson <berickxx@gmail.com>
---

diff --git a/bin/opensrf-perl.pl.in b/bin/opensrf-perl.pl.in
index 9103b8c..86f8148 100755
--- a/bin/opensrf-perl.pl.in
+++ b/bin/opensrf-perl.pl.in
@@ -621,16 +621,28 @@ sub do_reset_message_bus {
 
     my $routers = $conf->bootstrap->routers;
 
-    # TODO pull logins for all clients in the conf, including
-    # gateway and router.
-    for my $router (@{$conf->bootstrap->routers}) {
+    my $admin_pass = `grep 'ACL SETUSER admin on >' $opt_bus_accounts | cut -d'>' -f2`;
+
+    chomp($admin_pass);
+
+    die "No password for Redis 'admin' account found in $opt_bus_accounts\n"
+        unless $admin_pass;
 
+    # Redis prefers the password be passed via ENV.
+    $ENV{REDISCLI_AUTH} = $admin_pass;
+
+    # Apply the bus accounts to all of our domains.
+    for my $router (@{$conf->bootstrap->routers}) {
         my $domain = ref $router ? $router->{domain} : $router;
         my $port = $conf->bootstrap->port;
 
         msg("Resetting bus accounts for domain $domain");
 
-        system("cat $opt_bus_accounts | redis-cli -h $domain -p $port > /dev/null");
+        # Grep out some noise.  Avoid piping to /dev/null so we can 
+        # see failures.
+        my $command = "redis-cli --user admin -h $domain -p $port | grep -v OK | grep -v ^1";
+
+        system("cat $opt_bus_accounts | $command");
     }
 }
 
diff --git a/examples/redis-accounts.txt.in b/examples/redis-accounts.txt.in
index bc98edf..04198a7 100644
--- a/examples/redis-accounts.txt.in
+++ b/examples/redis-accounts.txt.in
@@ -25,12 +25,12 @@ ACL SETUSER gateway on >@GATEWAY_BUS_PASS@
 ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:*
 
 SET comment "admin can do anything"
+SET comment "avoid reseting admin since that would break the account mid-script"
 
-ACL SETUSER admin reset
 ACL SETUSER admin on >@ADMIN_BUS_PASS@
 ACL SETUSER admin +@all ~*
 
-SET comment "disable the 'default' account"
+SET comment "disable the 'default' passwordless account"
 
 ACL SETUSER default off