Merge pull request #33 from samply/feature/localDatamanagementPasswordGeneration

Added Generation of local Datamanagement Password to Install Script
This commit is contained in:
Pierre Delpy 2022-11-03 16:35:57 +01:00 committed by GitHub
commit d49b4521b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 23 additions and 139 deletions

131
README.md
View File

@ -204,141 +204,22 @@ To shutdown the bridgehead just run.
/srv/docker/bridgehead/bridgehead stop <Project> /srv/docker/bridgehead/bridgehead stop <Project>
``` ```
### Systemd service configuration ### Local Datamanagement Security
For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script: For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script:
``` shell ``` shell
sudo /srv/docker/bridgehead/bridgehead install <Project> sudo /srv/docker/bridgehead/bridgehead install <Project>
``` ```
This will install the systemd units to run and update the bridghead. This will install the systemd units to run and update the bridghead. Also, this will generate a user and password for accessing the LDM. This will be shown only the first time you install the bridgehead.
Finally, you need to configure your sites secrets. These are places as configuration for each bridgehead system unit. Refer to the section for your specific project:
For Every project you need to set the proxy this way, if you have one. This is done with the ```systemctl edit``` comand.
``` shell
sudo systemctl edit bridgehead@<project>.service;
sudo systemctl edit bridgehead-update@<project>.service;
```
``` conf
[Service]
Environment=http_proxy=<proxy-url>
Environment=https_proxy=<proxy-url>
```
There a further configurations for each project.
#### CCP(DKTK/C4)
For the federate search please follow the basic auth configuration step.
### DKTK/C4
You can create the site specific configuration with:
This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this.
``` conf
[Service]
Environment=http_proxy=
Environment=https_proxy=
```
To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
``` shell
sudo systemctl daemon-reload;
sudo systemctl bridgehead@ccp.service;
```
You can create the site specific configuration with:
``` shell
sudo systemctl edit bridgehead@c4.service;
```
This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this.
``` conf
[Service]
Environment=http_proxy=
Environment=https_proxy=
Environment=HOSTIP=
Environment=HOST=
Environment=HTTP_PROXY_USER=
Environment=HTTP_PROXY_PASSWORD=
Environment=HTTPS_PROXY_USER=
Environment=HTTPS_PROXY_PASSWORD=
Environment=CONNECTOR_POSTGRES_PASS=
Environment=ML_DB_PASS=
Environment=MAGICPL_API_KEY=
Environment=MAGICPL_MAINZELLISTE_API_KEY=
Environment=MAGICPL_API_KEY_CONNECTOR=
Environment=MAGICPL_MAINZELLISTE_CENTRAL_API_KEY=
Environment=MAGICPL_CENTRAL_API_KEY=
Environment=MAGICPL_OIDC_CLIENT_ID=
Environment=MAGICPL_OIDC_CLIENT_SECRET=
```
To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
``` shell
sudo systemctl daemon-reload;
sudo systemctl bridgehead@c4.service;
```
### GBA/BBMRI-ERIC
You can create the site specific configuration with:
``` shell
sudo systemctl edit bridgehead@gbn.service;
```
This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets.
``` conf
[Service]
Environment=HOSTIP=
Environment=HOST=
Environment=HTTP_PROXY_USER=
Environment=HTTP_PROXY_PASSWORD=
Environment=HTTPS_PROXY_USER=
Environment=HTTPS_PROXY_PASSWORD=
Environment=CONNECTOR_POSTGRES_PASS=
```
To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service:
``` shell
sudo systemctl daemon-reload;
sudo systemctl bridgehead@gbn.service;
```
## Configuration
### Basic Auth ### Basic Auth
For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. If you start the bridgehead without basic auth, then those services are not accesbile. We provide a script which set the needed config for you, just run the script and follow the instructions. For Data protection we use basic authentification for some services. To access those services you need an username and password combination.
Caution: If you start the bridgehead without the authentification, then those services are not accessible.
We generate such a combination at the first install (`/etc/bridgehead/<Project>.local.conf`).
``` shell ## Configuration
add_user.sh
```
The result needs to be set in either in the systemd service or in your console.
#### Console
When just running the bridgehead you need to export the auth variable. Be aware that this export is only for the current session in the environment and after exit it will not be accessible anymore.
``` shell
export bc_auth_user=<output>
```
Cation: you need to escape occrring dollar signs.
#### systemd #### systemd

View File

@ -21,7 +21,7 @@ services:
- "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls=true" - "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.middlewares=auth" - "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}" - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
@ -65,7 +65,7 @@ services:
- "blaze-data:/app/data" - "blaze-data:/app/data"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}" - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
- "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)" - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)"
- "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement" - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement"
- "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080" - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"

View File

@ -21,7 +21,7 @@ services:
- "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.tls=true" - "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.middlewares=auth" - "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}" - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}"
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
@ -65,7 +65,7 @@ services:
- "blaze-data:/app/data" - "blaze-data:/app/data"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}" - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}"
- "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)" - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)"
- "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement" - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement"
- "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080" - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080"

View File

@ -1,10 +0,0 @@
#!/bin/bash -e
source lib/functions.sh
log "INFO" "This script add's a user with password to the bridghead"
read -p 'Username: ' bc_user
read -sp 'Password: ' bc_password
log "INFO" "\nPlease export the line in the your environment. Please replace the dollar signs with with \\\$"
docker run --rm -it httpd:latest htpasswd -nb $bc_user $bc_password

View File

@ -33,6 +33,19 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\
bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^}
EOF EOF
# TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour)
if [ -z "$LDM_LOGIN" ]; then
log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!"
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd"
parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r')
printf "##Localdatamanagement basic auth\n#User: $PROJECT\n#Password: $generated_passwd\n" >> /etc/bridgehead/${PROJECT}.local.conf;
log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf"
echo -n "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf;
fi
log "INFO" "Register system units for bridgehead and bridgehead-update" log "INFO" "Register system units for bridgehead and bridgehead-update"
cp -v \ cp -v \
lib/systemd/bridgehead\@.service \ lib/systemd/bridgehead\@.service \