Docker Compose option to generate random passwords

[kowh-ai]

Fixes: #65

In the past passwords have been included in the .env file and therefore included as Docker Compose variables when building and running Docker images and containers

This PR includes a new option to generate randomised, secure passwords for the following users:

• The Postgres system superuser POSTGRES_USER
• The database user that owns the CKAN database CKAN_DB_USER
• The database user that has read-access to the Datastore database DATASTORE_READONLY_USER
• The CKAN application System Administrator user CKAN_SYSADMIN_NAME

These passwords are kept in a new file: .pw and added to env_file: in the Docker Compose yml file

The README has been updated with a new section on the steps involved for using this new option

I could include all the steps in the generate_passwords.sh script rather than have people explicitly overriding and saving files

Update: The random password generator will now be the default option. There will also be an option to opt-out so passwords will be referenced from the .env file. This option is how passwords were implemented previously

Also, other variables (secrets) will be included as well. These are as follows:

• The beaker session secret CKAN___BEAKER__SESSION__SECRET
• The api token encode secret CKAN___API_TOKEN__JWT__ENCODE__SECRET
• The api token decode secret CKAN___API_TOKEN__JWT__DECODE__SECRET

[themowski]

Was this committed by accident? At a glance, this looks like the generated passwords Compose file was used to overwrite the regular Compose file.

[kowh-ai]

Don't think so...here are the last commits to docker-compose.yml:

[themowski]

Sorry, I meant, was it added into this PR (committed to this branch) by accident?

Based on the other feedback, it seems like the auto-generated passwords will be the default behavior in the future, so presumably this comment is moot anyways.

[kowh-ai]

Ah OK, if you look at the README in the PR you will see the instructions:

At the moment you need to explicitly override the docker-compose.yml file when wanting to use more secure passwords, however after the Dev meeting this afternoon it was decided that secure passwords will be the default when this is merged

[EricSoroos]

Probably better to use https://docs.python.org/3/library/secrets.html#secrets.token_urlsafe secrets.token_urlsafe, as /dev/urandom is somewhat platform dependent.

[EricSoroos]

Should probably print out the ckan sysadmin password on the console, and note where it's actually saved.

[EricSoroos]

This isn't safe.

This is passing in the database superuser password into the CKAN instance, where it should only have access to the specific urls that are needed to connect to the database.

[EricSoroos]

Also mentioned in the call -- Out of the box, this should use the random PWs. If someone wants to use old static passwords on new installs, they need to work at it.

[EricSoroos]

Should probably set these as well.

[kowh-ai]

Thanks @EricSoroos for helping me here. I've pretty much got it all working with the new changes however I'm thinking it might be best to have one generated password file (locked down) to pass through to the ckan container and one to pass through to the db container...

[pwalsh]

@kowh-ai I'm not sure if this is the best place to note this, so do tell me if there is another better, location:

If we are doing this work on random passwords, to bypass having passwords in .env files, perhaps it is worth exploring the docker solution for secrets, which works with docker compose:

https://docs.docker.com/compose/use-secrets/

[kowh-ai]

@pwalsh - I had gone through secrets in Docker documentation plus examples people had written about and thought you could only use secrets when you had set up Docker to run in swarm mode. I'm very interested in pursuing this

[pwalsh]

@kowh-ai ok. I was sure it worked with compose, but must be my misreading. I was researching this for some of my own projects but have not implemented it yet.