Forum OpenACS Development: Adding a password to PGSQL user

Request notifications

Collapse
Posted by Iuri Sampaio on
Hi there,
What would be the parameter to assign a password to pgsql user, within /usr/lib/ns/config-oacs.tcl ?

...
if { $database eq "oracle" } {
set db_password "mysitepassword"
} else {
set db_host localhost
set db_port ""
set db_user $server
}

I tried to use db_password (as showed in Oracle statement), but it didn't work for pgsql as expected.

The goal is to split the OACS installation to a EC2 instance (Debian server) and database to an AWS RDS

Best wishes,
I

Collapse
Posted by Claudio Pasolini on
Hi Iuri,

the parameter you're searching for is named, guess what, password and you will find it within the ns/db/pool/ section.

All the best,

Caludio

Collapse
Posted by Iuri Sampaio on
Thanks Claudio
For future references of this forum, I'm pasting the chunk of code, which corresponds to the parameters of PGSQL, within config.tcl
Best wishes,
I

ns_section ns/db/pool/pool1 {
# ns_param maxidle 0
# ns_param maxopen 0
ns_param connections 15
ns_param LogMinDuration 0.01 ;# when SQL logging is on, log only statements above this duration
ns_param logsqlerrors $debug
if { $database eq "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource ${db_host}:${db_port}:dbname=${db_name}
ns_param user $db_user
ns_param password ""
}
}

Collapse
Posted by Malte Sussdorff on

Keep in mind that you might also be able (and need to in case of Docker) to load the password using environment variables. So I have this in my config (so docker-compose can set the password).

if { $database eq "oracle" } {

set db_password "mysitepassword"

} else {

set db_host postgres

set db_port ""

set db_user $server

if {[info exists ::env(POSTGRES_PASSWORD)]} {

   set db_password $::env(POSTGRES_PASSWORD)

} else {

   set db_password           testing

}

}

As you can see the host is names postgres (which is the default name of my container in docker compose), but I am still in the learning process :-).

Collapse
Posted by Gustaf Neumann on
One can also add the password (and many more parameters [1]) to the connection string named "datasource" in the config file. This string is passed to the PostgreSQL driver, that interprets it. The potential options were extended by PostgreSQL over the last years... One more option is to use the standard environment variables as used by PostgreSQL [2], that might work also without touching the OpenACS config file

i am not sure, whether passing the password via environment variables is the best way, since these can be easily read without any kind of permission checking (when one is able to run a bash/tcl command). I have not done anything with docker, but probably "docker secrets" or other secrets managers provides more security.

[1] https://www.postgresql.org/docs/12/libpq-connect.html#LIBPQ-PARAMKEYWORDS
[2] https://www.postgresql.org/docs/12/libpq-envars.html