Forum OpenACS Development: Re: Adding a password to PGSQL user

Collapse
3: Re: Adding a password to PGSQL user (response to 2)
Posted by Iuri Sampaio on 12/27/19 02:05 AM
Thanks Claudio
For future references of this forum, I'm pasting the chunk of code, which corresponds to the parameters of PGSQL, within config.tcl
Best wishes,
I

ns_section ns/db/pool/pool1 {
# ns_param maxidle 0
# ns_param maxopen 0
ns_param connections 15
ns_param LogMinDuration 0.01 ;# when SQL logging is on, log only statements above this duration
ns_param logsqlerrors $debug
if { $database eq "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource ${db_host}:${db_port}:dbname=${db_name}
ns_param user $db_user
ns_param password ""
}
}

Collapse
4: Re: Adding a password to PGSQL user (response to 3)
Posted by Malte Sussdorff on 02/03/20 06:21 PM

Keep in mind that you might also be able (and need to in case of Docker) to load the password using environment variables. So I have this in my config (so docker-compose can set the password).

if { $database eq "oracle" } {

set db_password "mysitepassword"

} else {

set db_host postgres

set db_port ""

set db_user $server

if {[info exists ::env(POSTGRES_PASSWORD)]} {

   set db_password $::env(POSTGRES_PASSWORD)

} else {

   set db_password           testing

}

}

As you can see the host is names postgres (which is the default name of my container in docker compose), but I am still in the learning process 😊.

Collapse
5: Re: Adding a password to PGSQL user (response to 4)
Posted by Gustaf Neumann on 02/04/20 10:00 AM
One can also add the password (and many more parameters [1]) to the connection string named "datasource" in the config file. This string is passed to the PostgreSQL driver, that interprets it. The potential options were extended by PostgreSQL over the last years... One more option is to use the standard environment variables as used by PostgreSQL [2], that might work also without touching the OpenACS config file

i am not sure, whether passing the password via environment variables is the best way, since these can be easily read without any kind of permission checking (when one is able to run a bash/tcl command). I have not done anything with docker, but probably "docker secrets" or other secrets managers provides more security.

[1] https://www.postgresql.org/docs/12/libpq-connect.html#LIBPQ-PARAMKEYWORDS
[2] https://www.postgresql.org/docs/12/libpq-envars.html