From 0e10205f1a97179a002b650f4eb31604860ccd5b Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Tue, 25 Oct 2022 15:30:14 +0200 Subject: [PATCH 1/4] fix: LDM Password is now generated at Installation --- lib/setup-bridgehead-units.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh index 57f7df5..f99bab0 100755 --- a/lib/setup-bridgehead-units.sh +++ b/lib/setup-bridgehead-units.sh @@ -33,6 +33,19 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF +log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!" +generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" + +log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd" +parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd) + +mkdir /etc/systemd/system/bridgehead@${PROJECT}.service.d +cat < /etc/systemd/system/bridgehead@${PROJECT}.service.d/environment.conf +[Service] +Environment=bc_auth_users=${parsed_passwd} +EOF + + log "INFO" "Register system units for bridgehead and bridgehead-update" cp -v \ lib/systemd/bridgehead\@.service \ From ee3ea2b51416cbd2bf3c58dc333cea977cfb3e3e Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Wed, 26 Oct 2022 10:42:07 +0200 Subject: [PATCH 2/4] Updated README --- README.md | 129 +++++------------------------------------------------- 1 file changed, 12 insertions(+), 117 deletions(-) diff --git a/README.md b/README.md index 055a008..06ffcea 100644 --- a/README.md +++ b/README.md @@ -204,141 +204,36 @@ To shutdown the bridgehead just run. /srv/docker/bridgehead/bridgehead stop ``` -### Systemd service configuration +### Local Datamanagement Security For a server, we highly recommend that you install the system units for managing the bridgehead, provided by us. You can do this by executing the [bridgehead](./bridgehead) script: ``` shell sudo /srv/docker/bridgehead/bridgehead install ``` -This will install the systemd units to run and update the bridghead. - -Finally, you need to configure your sites secrets. These are places as configuration for each bridgehead system unit. Refer to the section for your specific project: - -For Every project you need to set the proxy this way, if you have one. This is done with the ```systemctl edit``` comand. - -``` shell -sudo systemctl edit bridgehead@.service; -sudo systemctl edit bridgehead-update@.service; -``` - -``` conf -[Service] -Environment=http_proxy= -Environment=https_proxy= -``` - -There a further configurations for each project. - -#### CCP(DKTK/C4) - -For the federate search please follow the basic auth configuration step. - -### DKTK/C4 - -You can create the site specific configuration with: - - -This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this. - -``` conf -[Service] -Environment=http_proxy= -Environment=https_proxy= -``` - -To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service: - -``` shell -sudo systemctl daemon-reload; -sudo systemctl bridgehead@ccp.service; -``` - -You can create the site specific configuration with: - -``` shell -sudo systemctl edit bridgehead@c4.service; -``` - -This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. You share some of the ID-Management secrets with the central patientlist (Mainz) and controlnumbergenerator (Frankfurt). Refer to the ["Configuration" section](#configuration) for this. - -``` conf -[Service] -Environment=http_proxy= -Environment=https_proxy= -Environment=HOSTIP= -Environment=HOST= -Environment=HTTP_PROXY_USER= -Environment=HTTP_PROXY_PASSWORD= -Environment=HTTPS_PROXY_USER= -Environment=HTTPS_PROXY_PASSWORD= -Environment=CONNECTOR_POSTGRES_PASS= -Environment=ML_DB_PASS= -Environment=MAGICPL_API_KEY= -Environment=MAGICPL_MAINZELLISTE_API_KEY= -Environment=MAGICPL_API_KEY_CONNECTOR= -Environment=MAGICPL_MAINZELLISTE_CENTRAL_API_KEY= -Environment=MAGICPL_CENTRAL_API_KEY= -Environment=MAGICPL_OIDC_CLIENT_ID= -Environment=MAGICPL_OIDC_CLIENT_SECRET= -``` - -To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service: - -``` shell -sudo systemctl daemon-reload; -sudo systemctl bridgehead@c4.service; -``` -### GBA/BBMRI-ERIC - -You can create the site specific configuration with: - -``` shell -sudo systemctl edit bridgehead@gbn.service; -``` - -This will open your default editor allowing you to edit the docker system units configuration. Insert the following lines in the editor and define your machines secrets. - -``` conf -[Service] -Environment=HOSTIP= -Environment=HOST= -Environment=HTTP_PROXY_USER= -Environment=HTTP_PROXY_PASSWORD= -Environment=HTTPS_PROXY_USER= -Environment=HTTPS_PROXY_PASSWORD= -Environment=CONNECTOR_POSTGRES_PASS= -``` - -To make the configuration effective, you need to tell systemd to reload the configuration and restart the docker service: - -``` shell -sudo systemctl daemon-reload; -sudo systemctl bridgehead@gbn.service; -``` - -## Configuration +This will install the systemd units to run and update the bridghead. Also, this will generate a user and password for accessing the LDM. This will be shown only the first time you install the bridgehead. ### Basic Auth -For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. If you start the bridgehead without basic auth, then those services are not accesbile. We provide a script which set the needed config for you, just run the script and follow the instructions. +For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. +Cation: If you start the bridgehead without the authenfication, then those services are not accesbile. +We generate such a combination at the first install. Also, we provide a script which generates such a combination for you. ``` shell add_user.sh ``` -The result needs to be set in either in the systemd service or in your console. +The script will print the hashed user password combination. Please put the combination to the ```/etc/bridgehead/.local.conf``` +It should look like this -#### Console - -When just running the bridgehead you need to export the auth variable. Be aware that this export is only for the current session in the environment and after exit it will not be accessible anymore. - -``` shell -export bc_auth_user= +```conf +LDM_Password=':$...$.....$...............' ``` -Cation: you need to escape occrring dollar signs. +You can use the ```add_bc_auth_user.sh``` script to generate an another user and add it to the ```.local.conf``` wiht comma seperation. + +## Configuration #### systemd From ce386f5a2a156f41ea371d3e5262ea601c717b15 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Wed, 26 Oct 2022 10:48:55 +0200 Subject: [PATCH 3/4] fix: Moved LDM Password to /etc/bridgehead --- ccp/docker-compose.yml | 4 ++-- lib/setup-bridgehead-units.sh | 19 +++++++++---------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 3074f31..dfc7d34 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -21,7 +21,7 @@ services: - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls=true" - "traefik.http.routers.dashboard.middlewares=auth" - - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}" + - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}" ports: - 80:80 - 443:443 @@ -65,7 +65,7 @@ services: - "blaze-data:/app/data" labels: - "traefik.enable=true" - - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}" + - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}" - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/ccp-localdatamanagement`)" - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/ccp-localdatamanagement" - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080" diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh index f99bab0..7518f3a 100755 --- a/lib/setup-bridgehead-units.sh +++ b/lib/setup-bridgehead-units.sh @@ -33,18 +33,17 @@ Cmnd_Alias BRIDGEHEAD${PROJECT^^} = \\ bridgehead ALL= NOPASSWD: BRIDGEHEAD${PROJECT^^} EOF -log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!" -generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" +# TODO: Determine wether this should be located in setup-bridgehead (triggered through bridgehead install) or in update bridgehead (triggered every hour) +if [ -z "$LDM_LOGIN" ]; then + log "INFO" "Now generating a password for the local datamangement. Please safe the password for your ETL process!" + generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" -log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd" -parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd) - -mkdir /etc/systemd/system/bridgehead@${PROJECT}.service.d -cat < /etc/systemd/system/bridgehead@${PROJECT}.service.d/environment.conf -[Service] -Environment=bc_auth_users=${parsed_passwd} -EOF + log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd" + parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n') + log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf" + echo "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf; +fi log "INFO" "Register system units for bridgehead and bridgehead-update" cp -v \ From 7ea5e928fcf81f693b7e1e7bcd95b4b4bdcf8233 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Thu, 3 Nov 2022 09:26:01 +0100 Subject: [PATCH 4/4] Removed add_bc_user.sh --- README.md | 20 +++----------------- bbmri/docker-compose.yml | 4 ++-- lib/add_bc_user.sh | 10 ---------- lib/setup-bridgehead-units.sh | 5 +++-- 4 files changed, 8 insertions(+), 31 deletions(-) delete mode 100755 lib/add_bc_user.sh diff --git a/README.md b/README.md index 06ffcea..0e4c762 100644 --- a/README.md +++ b/README.md @@ -215,23 +215,9 @@ This will install the systemd units to run and update the bridghead. Also, this ### Basic Auth -For Data protection we use basic authenfication for some services. To access those services you need an username and password combination. -Cation: If you start the bridgehead without the authenfication, then those services are not accesbile. -We generate such a combination at the first install. Also, we provide a script which generates such a combination for you. - -``` shell -add_user.sh -``` - -The script will print the hashed user password combination. Please put the combination to the ```/etc/bridgehead/.local.conf``` - -It should look like this - -```conf -LDM_Password=':$...$.....$...............' -``` - -You can use the ```add_bc_auth_user.sh``` script to generate an another user and add it to the ```.local.conf``` wiht comma seperation. +For Data protection we use basic authentification for some services. To access those services you need an username and password combination. +Caution: If you start the bridgehead without the authentification, then those services are not accessible. +We generate such a combination at the first install (`/etc/bridgehead/.local.conf`). ## Configuration diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index ee35119..4188714 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -21,7 +21,7 @@ services: - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls=true" - "traefik.http.routers.dashboard.middlewares=auth" - - "traefik.http.middlewares.auth.basicauth.users=${bc_auth_users}" + - "traefik.http.middlewares.auth.basicauth.users=${LDM_LOGIN}" ports: - 80:80 - 443:443 @@ -65,7 +65,7 @@ services: - "blaze-data:/app/data" labels: - "traefik.enable=true" - - "traefik.http.middlewares.ccp-auth.basicauth.users=${bc_auth_users}" + - "traefik.http.middlewares.ccp-auth.basicauth.users=${LDM_LOGIN}" - "traefik.http.routers.blaze_ccp.rule=PathPrefix(`/bbmri-localdatamanagement`)" - "traefik.http.middlewares.ccp_b_strip.stripprefix.prefixes=/bbmri-localdatamanagement" - "traefik.http.services.blaze_ccp.loadbalancer.server.port=8080" diff --git a/lib/add_bc_user.sh b/lib/add_bc_user.sh deleted file mode 100755 index 8185658..0000000 --- a/lib/add_bc_user.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -e -source lib/functions.sh - -log "INFO" "This script add's a user with password to the bridghead" - -read -p 'Username: ' bc_user -read -sp 'Password: ' bc_password - -log "INFO" "\nPlease export the line in the your environment. Please replace the dollar signs with with \\\$" -docker run --rm -it httpd:latest htpasswd -nb $bc_user $bc_password diff --git a/lib/setup-bridgehead-units.sh b/lib/setup-bridgehead-units.sh index 7518f3a..820d6f6 100755 --- a/lib/setup-bridgehead-units.sh +++ b/lib/setup-bridgehead-units.sh @@ -39,10 +39,11 @@ if [ -z "$LDM_LOGIN" ]; then generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" log "INFO" "Your generated credentials are:\n user: $PROJECT\n password: $generated_passwd" - parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n') + parsed_passwd=$(docker run --rm -it httpd:latest htpasswd -nb $PROJECT $generated_passwd | tr -d '\n' | tr -d '\r') + printf "##Localdatamanagement basic auth\n#User: $PROJECT\n#Password: $generated_passwd\n" >> /etc/bridgehead/${PROJECT}.local.conf; log "INFO" "These credentials are now written to /etc/bridgehead/${PROJECT}.local.conf" - echo "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf; + echo -n "LDM_LOGIN='${parsed_passwd}'" >> /etc/bridgehead/${PROJECT}.local.conf; fi log "INFO" "Register system units for bridgehead and bridgehead-update"