jjethwa / rundeck

GNU General Public License v3.0
122 stars 137 forks source link

Would like ability to set login admin password with environment variable #23

Closed stagrlee closed 8 years ago

stagrlee commented 8 years ago

Similar to RUNDECK_PASSWORD, I would to be able to set the login password of the admin account into the GUI.

Suggest a new RUNDECK_ADMIN_PASSWORD environment variable that would overload in the /etc/rundeck/framework.properties file

framework.server.password

and in /etc/rundeck/realm.properties, the second field in this line...

admin:admin,user,admin,architect,deploy,build
jjethwa commented 8 years ago

Hi @stagrlee

I'm a little hesitant to add the admin account password as an environment variable as this has a few security ramifications. My thinking is that /etc/rundeck needs to be a volume so customization is persisted across container restarts.

I'm not totally closed off on adding it though. Would you be able to provide a use case of where the default framework.properties and realm.properties are needed, but the admin password needs to be modified?

stagrlee commented 8 years ago

Besides the obvious which is that unmodified the admin password is "admin" which is a wide open hole.

The use case I'm working on is to embed a little independent orchestration motor into a larger app and keep the configuration updates to the rundeck devs to default the config lean and secure. If I put the rundeck config files in my source code and inject all of that, I have to keep up with config file layout changes.

The app will pass in a project directory of jobs and an admin passord that is generated, let the node authority build up its node DB, and run the orchestrations. After that, reap the rundeck docker image like nothing ever happened... I want to keep updates to rundeck easy.

stagrlee commented 8 years ago

I was using an env variable as a parameter passing mechanism since that is how the DB pwd is passed in. Other parameter passing arrangements could be used I imagine.

jjethwa commented 8 years ago

Yeah, the default is admin:admin, but most users should be using the volume to persist their configurations and should know enough to change the admin password :)

I should have time to do some analysis of the changes that need to be made later this week to make sure it won't affect users that are already using the container in production.

In the interim, if you're planning on using the rundeck container transiently, you could try linking the container's together so the rundeck port is not exposed to the host or via the host's external IP. It doesn't solve the default admin password issue, but it's a slight mitigation.

stagrlee commented 8 years ago

I put in a pull request, see what you think

jjethwa commented 8 years ago

Thanks @stagrlee

I believe the password needs to be changed in the realm.properties file as well as the framework.properties password is used for the CLI tools. Do you want to update the PR or do you want me to? :)

stagrlee commented 8 years ago

Yikes... Thanks for the review. I pushed an updated PR.

jjethwa commented 8 years ago

Closing as @stagrlee changes were merged: https://github.com/jjethwa/rundeck/commit/215434c2e8f790dee6fbc01b4c12b35f5b394a0f

Really appreciate it :)