Unable to change root password for database if provided via environment variable ORIENTDB_ROOT_PASSWORD

Question

Unable to change root password for database if provided via environment variable ORIENTDB_ROOT_PASSWORD

Closed this issue 20 days ago · 5 comments

akshay-mahakalkar commented 4 months ago

OrientDB Version: 3.2.32

Java Version: openjdk 11.0.23

OS: Alpine

Expected behavior

If the value of ORIENTDB_ROOT_PASSWORD is changed in the new password should be consumed.

Actual behavior

When ORIENTDB_ROOT_PASSWORD is changed, database is unable to use new password, instead continues to use old password.
When the OSystem database is deleted then only new password is consumed.

Steps to reproduce

Download and start OrientDB server by running ORIENTDB_ROOT_PASSWORD="password" server.sh command.
Try accessing the studio. Should be accessible.
Change the password and run again. Should not be accessible.

Extra Findings

If password is provided via orientdb-server-config.xml file as provided below
<users> <user name="root" password="Root@1234" resources="*" /> <user name="guest" password="admin" resources="connect,server.listDatabases,server.dblist" /> </users>
Then I am able to login database with both passwords. One provided via environment variable and one provided in xml file at the same time.

Answer 1 · 2024-07-25T12:41:58.000Z

Hi,
Yes I think that password as today is retrieve and stored somewhere else, I do agree this may not be the best behavior, I will see if this can be corrected.

Answer 2 · 2024-08-29T12:05:52.000Z

Hi,

This should be fixed in 3.2.33 let me know if you can verify it.

Regards

Answer 3 · 2024-09-03T08:13:44.000Z

Hi @tglman,

Thanks for resolving the issue. I verified it is now resolved. If new password set via environment variable it is considering the new password.
Only one thing I found new is, now the database console logs shows the database password.

Was this intentional as previously it was "INFO Found ORIENTDB_ROOT_PASSWORD variable, using this value as root's password [OServer]".

Answer 4 · 2024-09-03T12:36:20.000Z

Hi,

Thank you for checking this, yes we should not log the password, that strange, I will double check this and make sure it doesn't happen, will leave this open till I make sure is not logged

Answer 5 · 2024-10-28T14:52:37.000Z

Hi,

The logging of the password should be fixed in 3.2.34, closing this, feel free to reopen it if you see still some problem.

Regards