Forum OpenACS Development: Re: Adding a password to PGSQL user

Collapse
Posted by Malte Sussdorff on

Keep in mind that you might also be able (and need to in case of Docker) to load the password using environment variables. So I have this in my config (so docker-compose can set the password).

if { $database eq "oracle" } {

set db_password "mysitepassword"

} else {

set db_host postgres

set db_port ""

set db_user $server

if {[info exists ::env(POSTGRES_PASSWORD)]} {

   set db_password $::env(POSTGRES_PASSWORD)

} else {

   set db_password           testing

}

}

As you can see the host is names postgres (which is the default name of my container in docker compose), but I am still in the learning process :-).

Collapse
Posted by Gustaf Neumann on
One can also add the password (and many more parameters [1]) to the connection string named "datasource" in the config file. This string is passed to the PostgreSQL driver, that interprets it. The potential options were extended by PostgreSQL over the last years... One more option is to use the standard environment variables as used by PostgreSQL [2], that might work also without touching the OpenACS config file

i am not sure, whether passing the password via environment variables is the best way, since these can be easily read without any kind of permission checking (when one is able to run a bash/tcl command). I have not done anything with docker, but probably "docker secrets" or other secrets managers provides more security.

[1] https://www.postgresql.org/docs/12/libpq-connect.html#LIBPQ-PARAMKEYWORDS
[2] https://www.postgresql.org/docs/12/libpq-envars.html