search

EnergyTransition / ESDL

Energy System Description Language
Apache License 2.0
13 stars 5 forks source link

Add username and password to DatabaseProfile #16

Closed coenvl closed 3 years ago

coenvl commented 3 years ago

I want to add authenticated access to Influx, but then I need a place to add the credentials. I think this is the appropriate way to do this.

ewoudwerkman commented 3 years ago

I won't apply this pull request, as we don't want credentials stored in the ESDL file in plain text. We've discussed this in depth when designing the DatabaseProfile. There are however several solutions to your problem:

  1. You could embed the profile in the ESDL using the DateTimeProfile (a bit bulky, but supported by ESSIM), or the new TimeSeriesProfile (less bulky, but not supported by ESSIM). Then you don't need the username and password anymore
  2. I've been experimenting with a solution to add a proxy in front of influxdb that does OpenIDConnect / keycloak authentication. This allows you to do fine grained access control to databases in influx. But: this is far from ready yet.
  3. ESSIM supports authentication for writing to influxdb, but not reading yet. I discussed with arun an approach to add Env variables to ESSIM in the form of INFLUX_HOST_NAME_USERNAME and INFLUX_HOST_NAME_PASSWORD, where HOST_NAME is replaced with the hostname defined in the DatabaseProfile. This allows you to externally add multiple username/password combinations for writing/reading from influx in ESSIM.

Does this work for you?

coenvl commented 3 years ago

Hey Ewoud,

I also talked to Arun, and he mentioned the same thing. Option number 1 won't work because we will create a plethora of profiles, as they represent different scenarios. Option number 2 is also not feasible since we are not using keycloak, only ESSIM. Option number 3 will probably work though. I can even imagine that the essim engine has some kind of companion configuration file, but using the environment keys effectively does the same thing. I am not sure if I like the idea of using variable environment keys

ewoudwerkman commented 3 years ago

I agree with the variable environment keys, that could sound a bit hacky, but I think this is most flexible and costs least effort. Alternative could be an environmental variable that points to an influxdb config file with the provided where a mapping is provided between hostname and username/password. You can also add aliases there if people don't use FQDN

coenvl commented 3 years ago

That sounds like a nice feature! For now I am locally using a package based on this branch, but this PR can be closed then.