magento / data-migration-tool

Magento Data Migration Tool
https://devdocs.magento.com/guides/v2.3/migration/bk-migration-guide.html
Open Software License 3.0
337 stars 199 forks source link

Database Password in module config file #743

Open rain2o opened 4 years ago

rain2o commented 4 years ago

Preconditions

  1. All versions

Steps to reproduce

  1. Create a module for configuring migration tool as per instructions in the dev docs

Expected result

  1. Sensitive information such as database credentials should not be stored in a module file.

Actual result

  1. Source and Destination require database credentials directly in the config file.

Additional notes

I suppose this is an enhancement, or I'm missing something that is already here, but the fact that this module requires database credentials to be put in the config.xml file directly inside our extension module is concerning. Whether we are creating a composer module or one directly in app/code, either way these files will be tracked in version control and should not contain any sensitive data, especially database credentials. The fact that this config file contains all other configurations like any custom mapping, ignored fields, etc... means that this file should be tracked in version control and maintained accordingly. Therefore the credentials should come from another source.

It would be preferable if the database credentials could come from any of the following sources:

  1. app/etc/env.php just like core Magento uses. Or from ENV variables directly.
  2. An additional config file that is stored perhaps in Magento root or in var or something. This file would be maintained directly on the server/environment and not in version control. It should only contain sensitive information. It would be merged with the other config file much like Magento core handles most XML files.
  3. Adding options to the CLI command, similar to the setup:install command to pass the DB host, name, user, password, source, and destination while running the migrate:[mode].

Those are the first three options I could think of. I started to try and create an extension to add these, but as this module doesn't follow the standard Magento 2 module infrastructure, I ran into some issues trying to use plugin or preference.

At this point our current migration is stalled until I can come up with a solution because storing these credentials in the module is not an option.

victor-v-rad commented 4 years ago

Hi @rain2o

The config.xml file can be stored outside Magento directory and the path of running migration can be 'bin/magento migrate:settings /home/user/config.xml'. Does it solve your security concern?

rain2o commented 4 years ago

@victor-v-rad yes that is a workaround but it’s inconvenient. Since the config file contains other configurations around migration, steps, paths to other config files, etc... it would be useful to have this file managed in version control so that we don’t have to maintain this file in several places. Then having an external location to get sensitive information from. Does that make sense?

victor-v-rad commented 4 years ago

It make sense and MC-29164 was created to implement it. It is unlikely to happen in the nearest future but the tool is open source and you can implement the needed functionality and share with all Magento community in pull request.