From 14be193813a5f6724043d1f2c0cb855696bcc1e5 Mon Sep 17 00:00:00 2001 From: SHASHIKANTH THAMBRAHALLI Date: Tue, 21 Nov 2023 16:25:51 +0530 Subject: [PATCH] Fix htpassword update logic (#547) * Fix htpassword update logic * Delete mq.htpasswd.default file --- Dockerfile-server | 2 -- cmd/runmqdevserver/main.go | 6 +++--- docs/pluggable-connauth.md | 2 +- etc/mqm/mq.htpasswd.default | 2 -- 4 files changed, 4 insertions(+), 8 deletions(-) delete mode 100644 etc/mqm/mq.htpasswd.default diff --git a/Dockerfile-server b/Dockerfile-server index ba2cc251..d7b2b522 100644 --- a/Dockerfile-server +++ b/Dockerfile-server @@ -182,7 +182,6 @@ LABEL summary="IBM MQ Advanced for Developers Server" \ USER 0 COPY --from=cbuilder /opt/app-root/src/authservice/mqhtpass/build/mqhtpass.so /opt/mqm/lib64/ COPY etc/mqm/qm-service-component.ini /run -COPY etc/mqm/mq.htpasswd.default /etc/mqm/ COPY incubating/mqadvanced-server-dev/install-extra-packages.sh /usr/local/bin/ RUN chmod u+x /usr/local/bin/install-extra-packages.sh \ && sleep 1 \ @@ -197,7 +196,6 @@ RUN ln -s /run/10-dev.mqsc /etc/mqm/10-dev.mqsc \ RUN chown -R 1001:root /etc/mqm/* \ && chmod -R g+w /etc/mqm/web \ && chmod +x /usr/local/bin/runmq* \ - && chmod 0660 /etc/mqm/mq.htpasswd.default \ # Allow contents of qm-service-component.ini to be cleaned if MQ_CONNAUTH_USE_HTP is not set to true && chmod 0660 /run/qm-service-component.ini \ && ln -s /run/qm-service-component.ini /etc/mqm/qm-service-component.ini diff --git a/cmd/runmqdevserver/main.go b/cmd/runmqdevserver/main.go index 99db7ae9..de30f5fe 100644 --- a/cmd/runmqdevserver/main.go +++ b/cmd/runmqdevserver/main.go @@ -21,7 +21,6 @@ import ( "strings" "syscall" - "github.com/ibm-messaging/mq-container/internal/copy" "github.com/ibm-messaging/mq-container/internal/htpasswd" "github.com/ibm-messaging/mq-container/pkg/containerruntimelogger" "github.com/ibm-messaging/mq-container/pkg/logger" @@ -136,8 +135,9 @@ func doMain() error { appPassword, appPwdset := os.LookupEnv("MQ_APP_PASSWORD") if set && strings.EqualFold(enableHtPwd, "true") && (adminPwdset && len(strings.TrimSpace(adminPassword)) > 0 || appPwdset && len(strings.TrimSpace(appPassword)) > 0) { - // Copy default mq.htpasswd file to ephemeral volume - err = copy.CopyFile("/etc/mqm/mq.htpasswd.default", "/run/mq.htpasswd") + // Create an empty mq.htpasswd file on ephemeral volume + // #nosec G306 - its a write by owner/s group, and pose no harm. + err = os.WriteFile("/run/mq.htpasswd", []byte(""), 0660) if err != nil { logTermination(err) return err diff --git a/docs/pluggable-connauth.md b/docs/pluggable-connauth.md index 1cfc399d..517d1a86 100644 --- a/docs/pluggable-connauth.md +++ b/docs/pluggable-connauth.md @@ -12,7 +12,7 @@ This pluggable authentication mode is to allow developers using the mq-container ### Preparing htpasswd file - 1. A default `mq.htpasswd.default` file is provided and placed under /etc/mqm/ directory inside the container. + 1. The `mq.htpasswd` file gets generated and placed under /run/ directory inside the container when the password for `admin` or `app` users is set via environment variables. No default password is set for these users. 2. You can set the password for user `admin` by setting the environment variable `MQ_ADMIN_PASSWORD`. 3. You can add user `app` into mq.htpasswd file by setting the environment variable `MQ_APP_PASSWORD`. This user `app` can be used to access `DEV.*` objects of the queue manager. diff --git a/etc/mqm/mq.htpasswd.default b/etc/mqm/mq.htpasswd.default deleted file mode 100644 index 95c213f1..00000000 --- a/etc/mqm/mq.htpasswd.default +++ /dev/null @@ -1,2 +0,0 @@ -admin:$2y$05$M/C1U62RZ6q1kv4E7.S7ueNESJmFe85RsZcoMUReRXUDB8QcP3yqS -app:$2y$05$BnbPtcjXTjk5JRJ8gzHqIuHgoQbLF3qtbPV3Q3tLyr0XJNg.7dkxW \ No newline at end of file