Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Phase one of addressing exposed passwords. #497

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Phase one of addressing exposed passwords. #497

wants to merge 1 commit into from

Conversation

lathama
Copy link

@lathama lathama commented Apr 3, 2024

Phase one of addressing exposed passwords.

  • For database password is shown in ps!!!! #334
  • Enable users to see what configuration settings they can/should set for databases
  • Prepare for excluding the password from the command which is visible from the host machine.

The problem

lathama@hostsystemnotthedockercontainer: $ ps ax | grep '/bin/odoo'
/usr/bin/python3 /usr/bin/odoo --db_host db --db_port 5432 --db_user odoo --db_password odoo

The goal

lathama@hostsystemnotthedockercontainer: $ ps ax | grep '/bin/odoo'
/usr/bin/python3 /usr/bin/odoo

Related

@lathama
Copy link
Author

lathama commented Apr 3, 2024

@odony and or @d-fence I will ask for some help getting this going.

@lathama
Copy link
Author

lathama commented Apr 3, 2024

Additional, I am in all the CLAs as lathama going back to the beginning if it is needed on this repo.

amh-mw
amh-mw suggested changes Apr 3, 2024
View reviewed changes
Copy link

@amh-mw amh-mw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing --db-password on the command line is a convenience for local development. There are already multiple mechanisms for doing this more securely.

  1. Mount an entire odoo.conf into the container, replacing these defaults and adding your password in the config file.
    # docker-compose.yaml
    volumes:
      - ./odoo.conf:/etc/odoo/odoo.conf
  1. Expose sensitive values as environment variables:
    # docker-compose.yaml
    environment:
      - POSTGRES_PASSWORD=odoo
      - POSTGRES_USER=odoo

I generally find this pull request without merit and think it should be closed.

15.0/odoo.conf
@@ -1,12 +1,16 @@
[options]
addons_path = /mnt/extra-addons
data_dir = /var/lib/odoo
db_name = postgress
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--database > db_name setting

database(s) used when installing or updating modules. Providing a comma-separated list restrict access to databases provided in list.

Setting a default db_name here unexpectedly restricts available databases, breaking current expectations.

@lathama
Copy link
Author

lathama commented Apr 3, 2024

Note to viewers, the CLI wins over the config file in some cases like db config. Read more at https://github.com/odoo/odoo/blob/17.0/odoo/tools/config.py#L448-L484

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amh-mw amh-mw amh-mw requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lathama @amh-mw