Project

General

Profile

Feature #8064

Generate postgres account credentials at install time

Added by John Spray almost 10 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Backend (packaging/deployment)
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Reviewed:
Affected Versions:

Description

This is for defense in depth.

Currently we ship a static postgres username/password for the calamari user. This is not a deal breaker because:

  • Users are free to modify it and update our configuration files with their new password
  • Postgres should not be listening on the network by default.

However, best practice would be to generate a unique password on each installation to protect against the case where someone had accidentally exposed their postgres server to the network.

We could achieve a per-installation password in a similar way to what we do with the django SECRET_KEY value: generate it in "calamari-ctl initialize" and update config files at that stage.

Also available in: Atom PDF