set username & password by env variables
Closed this issue · 9 comments
Sorry for the stupid question: But is there a way in your current docker images to set the username & the password with environment variables? Having this is a really nice feature for the using the geoserver in more complex docker setups & ci/cd pipelines. Many other images already support that (postgres, wildfly, minio, and many more).
Is there a way to do it maybe out-of-the-box with the current image? Say the geosolutionsit/geoserver:2.18.1?
If not do you plan to add it?
Or will it be necessary to have a custom entrypoint script that do this changes?
Say something like this:
GEOSERVER_ADMIN_HASH=$(java -classpath /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptStringDigestCLI digest.sh algorithm=SHA-256 saltSizeBytes=16 iterations=100000 input="$GEOSERVER_PASSWORD" verbose=0 | tr -d '\n')
cat <<END_OF_XML > "${GS_DATA_DIR}/security/usergroup/default/users.xml"
<?xml version="1.0" encoding="UTF-8"?><userRegistry xmlns="http://www.geoserver.org/security/users" version="1.0">
<users>
<user enabled="true" name="$GEOSERVER_USERNAME" password="digest1:$GEOSERVER_PASSWORD_HASH" />
</users>
<groups/>
</userRegistry>
END_OF_XML
(Basically I found parts of that on the geonode docker entrypoint.sh : https://github.com/GeoNode/geonode/blob/master/scripts/spcgeonode/geoserver/docker-entrypoint.sh - however the geonode image has other drawbacks).
Hi @nbrinckm
Currently not. I am not that familiar with the docker image for GeoNode, we'll take a look and get back to you
hello @nbrinckm
rest api supports creation of new users, but first you also probably would like to change user admin with default password "geoserver" as soon as you start the application the first time.
to change master password you can use PUT method and issue a request to /geoserver/rest/security/masterpw with payloads specified here
curl -X PUT http://localhost:8080/geoserver/rest/rest/security/masterpw -H "accept: application/json" -H "content-type: application/json" -d "{ \"oldMasterPassword\": \"oldPassword\", \"newMasterPassword\": \"newPassword\"}"
to add totally new users and groups to GeoServer more info here
Besides the API Rest approach you could just mount as a bind mount $GEOSERVER_DATADIR/security wqith prepped accounting
for account testing like acl and rbac behaviour maybe the second solution is more efficient
for account creation itself capability as well putting in security geoserver as soon as it starts, Rest API approach might be good as well
what about changing the startup behaviour of the container as follows @lpasquali:
In the startup script check via rest if the password is set to the default "admin:geoserver"
If not move on with the startup else update the password according to environment variable
?
I will it is same behaviour we use for ansible @randomorder
sounds good. Please go ahead with the implementation
can you please test this @agpenton ?
can you please test this @agpenton ?
@randomorder the test of the password change in the docker image created with the custom_build.sh script works smoothly.
running the command:
docker run -it -p 8080:8080 -e "ADMIN_PASSWORD=q1w2e3r4" geosolutionsit/geoserver:geoserver-2.18.x
thanks