From 4db224ff2f698c0bd03fe2a3344672a706454b94 Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Thu, 11 May 2023 11:26:32 -0400 Subject: [PATCH] Use redis default account instead of admin / avoid clobber Signed-off-by: Bill Erickson --- .gitignore | 2 +- README | 12 ++++----- bin/opensrf-perl.pl.in | 31 +++++++++++++++++----- configure.ac | 8 +++--- ...counts.txt.in => redis-accounts.example.txt.in} | 16 +++-------- src/Makefile.am | 2 +- 6 files changed, 41 insertions(+), 30 deletions(-) rename examples/{redis-accounts.txt.in => redis-accounts.example.txt.in} (80%) diff --git a/.gitignore b/.gitignore index 216cb57..7203d9b 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ config.sub configure depcomp doc/dokuwiki-doc-stubber.pl -examples/redis-accounts.txt +examples/redis-accounts.example.txt examples/math_bench.pl examples/math_client.py examples/multisession-test.pl diff --git a/README b/README index 0e2601c..e7fbf6e 100644 --- a/README +++ b/README @@ -268,6 +268,7 @@ Updating the OpenSRF configuration files cd SYSCONFDIR cp opensrf_core.xml.example opensrf_core.xml cp opensrf.xml.example opensrf.xml +cp redis-accounts.example.txt redis-accounts.txt --------------------------------------------------------------------------- + 2. Edit the `SYSCONFDIR/opensrf_core.xml` file to update the four username @@ -297,15 +298,14 @@ osrf_control --reset-message-bus + Accessing the Redis Command Line ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The script which creates Redis OpenSRF accounts also disables the -'default' (password-less) Redis account for security reasons. To access -the Redis command line with full privileges, use the 'admin' user and -associated password from the SYSCONFDIR/redis-accounts.txt file. For -example: +The script which creates Redis OpenSRF accounts also applies a password +to the 'default' Redis account for security. To access the Redis +command line with full privileges, use the password for the 'default' +user from the SYSCONFDIR/redis-accounts.txt file. For example: + [source,bash] --------------------------------------------------------------------------- -REDISCLI_AUTH=f0d2ebcc-5a52-49e4-a910-a515144b4141 redis-cli --user admin +REDISCLI_AUTH=f0d2ebcc-5a52-49e4-a910-a515144b4141 redis-cli --------------------------------------------------------------------------- Starting and stopping OpenSRF services diff --git a/bin/opensrf-perl.pl.in b/bin/opensrf-perl.pl.in index 86f8148..8e0115b 100755 --- a/bin/opensrf-perl.pl.in +++ b/bin/opensrf-perl.pl.in @@ -621,26 +621,45 @@ sub do_reset_message_bus { my $routers = $conf->bootstrap->routers; - my $admin_pass = `grep 'ACL SETUSER admin on >' $opt_bus_accounts | cut -d'>' -f2`; + my $bus_pass = `grep 'ACL SETUSER default on >' $opt_bus_accounts | cut -d'>' -f2`; - chomp($admin_pass); + chomp($bus_pass); - die "No password for Redis 'admin' account found in $opt_bus_accounts\n" - unless $admin_pass; + die "No password for Redis 'default' account found in $opt_bus_accounts\n" + unless $bus_pass; # Redis prefers the password be passed via ENV. - $ENV{REDISCLI_AUTH} = $admin_pass; + $ENV{REDISCLI_AUTH} = $bus_pass; # Apply the bus accounts to all of our domains. for my $router (@{$conf->bootstrap->routers}) { my $domain = ref $router ? $router->{domain} : $router; my $port = $conf->bootstrap->port; + # The first time this script runs after installing / rebooting Redis, + # the 'default' account will have no password. Subsequent logins + # will use the password defined in our redis-accounts file. See if + # we can figure where we are... + my $login = `echo "exit" | redis-cli -h $domain -p $port 2>&1`; + + if ($login =~ /AUTH failed/) { + # Login failed. Clear the password. + delete $ENV{REDISCLI_AUTH}; + } else { + # Multiple OpenSRF domains may run on the same Redis instance. + # If so, make sure subsequent runs on the same redis instance + # use the just-applied password. In this case, our $login + # var above will be empty, becuase Redis will think we are + # trying to login with no authentication, and will later fail + # when we try to perform actions that are not allowed. + $ENV{REDISCLI_AUTH} = $bus_pass; + } + msg("Resetting bus accounts for domain $domain"); # Grep out some noise. Avoid piping to /dev/null so we can # see failures. - my $command = "redis-cli --user admin -h $domain -p $port | grep -v OK | grep -v ^1"; + my $command = "redis-cli -h $domain -p $port | grep -v OK | grep -v ^1"; system("cat $opt_bus_accounts | $command"); } diff --git a/configure.ac b/configure.ac index b957aff..542ea75 100644 --- a/configure.ac +++ b/configure.ac @@ -56,17 +56,17 @@ AC_SUBST(bindir) OPENSRF_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) GATEWAY_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) ROUTER_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) -ADMIN_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) +DEFAULT_BUS_PASS=$(cat /proc/sys/kernel/random/uuid) AC_DEFINE_UNQUOTED([OPENSRF_BUS_PASS], ["$OPENSRF_BUS_PASS"], [opensrf bus password]) AC_DEFINE_UNQUOTED([GATEWAY_BUS_PASS], ["$GATEWAY_BUS_PASS"], [gateway bus password]) AC_DEFINE_UNQUOTED([ROUTER_BUS_PASS], ["$ROUTER_BUS_PASS"], [router bus password]) -AC_DEFINE_UNQUOTED([ADMIN_BUS_PASS], ["$ADMIN_BUS_PASS"], [admin bus password]) +AC_DEFINE_UNQUOTED([DEFAULT_BUS_PASS], ["$DEFAULT_BUS_PASS"], [admin bus password]) AC_SUBST([OPENSRF_BUS_PASS]) AC_SUBST([GATEWAY_BUS_PASS]) AC_SUBST([ROUTER_BUS_PASS]) -AC_SUBST([ADMIN_BUS_PASS]) +AC_SUBST([DEFAULT_BUS_PASS]) #------------------------------- # Installation options @@ -336,7 +336,7 @@ if test "x$OSRF_INSTALL_CORE" = "xtrue"; then #------------------------------------ AC_CONFIG_FILES([doc/dokuwiki-doc-stubber.pl - examples/redis-accounts.txt + examples/redis-accounts.example.txt examples/math_bench.pl examples/multisession-test.pl src/c-apps/Makefile diff --git a/examples/redis-accounts.txt.in b/examples/redis-accounts.example.txt.in similarity index 80% rename from examples/redis-accounts.txt.in rename to examples/redis-accounts.example.txt.in index a245528..4d5a6e9 100644 --- a/examples/redis-accounts.txt.in +++ b/examples/redis-accounts.example.txt.in @@ -24,16 +24,8 @@ ACL SETUSER gateway reset ACL SETUSER gateway on >@GATEWAY_BUS_PASS@ ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:* -SET comment "admin can do anything" -SET comment "avoid reseting admin since that would break the account mid-script" - -ACL SETUSER admin resetpass -ACL SETUSER admin on >@ADMIN_BUS_PASS@ -ACL SETUSER admin +@all ~* - -SET comment "disable the 'default' passwordless account" - -ACL SETUSER default off - -DEL comment +SET comment "default can do anything" +SET comment "set default password last so our logged-in account does not break mid-script" +ACL SETUSER default resetpass +ACL SETUSER default on >@DEFAULT_BUS_PASS@ diff --git a/src/Makefile.am b/src/Makefile.am index 4ca5dea..8b9eb6b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -34,7 +34,7 @@ if BUILDCORE MAYBE_CORE = libopensrf c-apps srfsh gateway perl websocket-stdio dist_bin_SCRIPTS = @top_srcdir@/bin/opensrf-perl.pl bin_SCRIPTS = @top_srcdir@/bin/osrf_config -dist_sysconf_DATA = @top_srcdir@/examples/opensrf.xml.example @top_srcdir@/examples/opensrf_core.xml.example @top_srcdir@/examples/srfsh.xml.example @top_srcdir@/examples/redis-accounts.txt +dist_sysconf_DATA = @top_srcdir@/examples/opensrf.xml.example @top_srcdir@/examples/opensrf_core.xml.example @top_srcdir@/examples/srfsh.xml.example @top_srcdir@/examples/redis-accounts.example.txt endif SUBDIRS = $(MAYBE_CORE) $(MAYBE_PY) $(MAYBE_JA) -- 2.11.0