IQSS / dataverse

Open source research data repository software
http://dataverse.org
Other
874 stars 483 forks source link

DB connection: defaults and more options #7980

Closed poikilotherm closed 1 year ago

poikilotherm commented 3 years ago

Now that #7701 is merged and we are on 5.2021.4, we can enable real defaults for the database connection.

Context

I learned that any variable expansion supporting annotations or files, that will have Payara create resources, containers or sth else from, will not retrieve default values from the microprofile-config.properties file bundled in the WAR.

Instead, we need to provide defaults with the new ${MPCONFIG=name:default} syntax.

Todo

poikilotherm commented 2 years ago

FWIW: this can now be addressed given the fact that Payara 5.2022.2 included a fix for this.

landreev commented 2 years ago

Here's a real life example of a problem this will solve: We had a support request (RT 321319) where a remote admin was asking about hardening their installation, specifically about enforcing SSL on the connection between the application and the database. When the jdbc library opens the connection to PostgresQL, it defaults to sslmode=prefer (meaning, it will use SSL if the remote server supports it; but would also be happy to use an unencrypted connection if not; it does not verify the SSL certificates in this mode either). If a user wants to ensure that their Dataverse installation will never talk to the database w/out SSL, they need to use sslmode=require. Or sslmode=verify-ca, to verify the certs. As of now, the only way to pass this parameter is to attach it to the database name, like this: <system-property name="dataverse.db.name" value="dvndb?sslmode=require"/> so that it ends up in the combined connection string; but it's a bit hacky. #8915 will provide a clean way to supply this extra parameter (via dataverse.db.parameters).

donsizemore commented 1 year ago

I am pleased to report that, so far, Leonid's ?sslmode=require suggestion above appears to work with a test RDS instance.