DigitalShoestringSolutions / sm_timeseries_db

GNU General Public License v3.0
0 stars 0 forks source link

InfluxDB Access Token security #2

Open tobyaharris opened 6 months ago

tobyaharris commented 6 months ago

In the distributed .env file we have a hardcoded access token for influxdb. This is used by both influx and grafana. https://github.com/DigitalShoestringSolutions/sm_timeseries_db/blob/a8e6e401acfbcfd946311fb45b5e34e02a02e81c/.env#L5

This feels not only unsecure, but against the spirit of the token system.

Should a random token not be generated at build time? We do this for the similar django_secret_key. Why not here? Is there some better system we should use instead?

Greg-Hawkridge commented 5 months ago

Yes - but I've already spent 3+ hours trying to work out how to generate a stand alone token (including trying to detect the hash formats). It would likely need a custom docker entrypoint script to be written that boots influx and then generates a token using the HTTP API. Also a hard coded token is not the biggest problem when there is a hard coded admin password (which also needs to be fixed - I have an approach extending the setup_keys script in the new inventory solution).