You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/02/13 17:46:19 UTC

[GitHub] [couchdb-docker] florianb commented on a change in pull request #170: Fix169 by enforcing admin credentials

florianb commented on a change in pull request #170: Fix169 by enforcing admin credentials
URL: https://github.com/apache/couchdb-docker/pull/170#discussion_r379018564
 
 

 ##########
 File path: dev/docker-entrypoint.sh
 ##########
 @@ -55,10 +55,25 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 	# Ensure that CouchDB will write custom settings in this file
 	touch /opt/couchdb/etc/local.d/docker.ini
 
-	if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
-		# Create admin only if not already present
-		if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then
+
+	# Check if admin users are missing then
+	if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini; then
+		# Check if admin credentials provided
+		if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
 
 Review comment:
   You're right - my bad. I should have understood what's happening there.. :disappointed:
   
   Containers should be idempotent. When researching if you really leave the password unhashed in the ini file and if your Ini-parser supports any kind of escape-statements for values i stumbled over [Issue 2188: Admin username with = in name gets corrupted on initial password encrypt](https://github.com/apache/couchdb/issues/2188) (where i left an educated guess about the cause for the :bug:).
   
   And i had to learn you're in fact writing the hashed password back into the config file.
   
   So if the password isn't used for anything else then authentication a user should be fine with throwing away the container with the forgotten password and creating a new one (given the data is mounted as external storage).
   
   If the password is also used to internally encrypt or sign anything this wouldn't work though.
   
   Since i guess the first applies you might want to close this PR.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services