Examples: query, "exact match", wildcard*, wild?ard, wild*rd
Fuzzy search: cake~ (finds cakes, bake)
Term boost: "red velvet"^4, chocolate^2
Field grouping: tags:(+work -"fun-stuff")
Escaping: Escape characters +-&|!(){}[]^"~*?:\ with \, e.g. \+
Range search: properties.timestamp:[1587729413488 TO *] (inclusive), properties.title:{A TO Z}(excluding A and Z)
Combinations: chocolate AND vanilla, chocolate OR vanilla, (chocolate OR vanilla) NOT "vanilla pudding"
Field search: properties.title:"The Title" AND text
Answered
Hi All, Are There Any Alternatives To Storing User Credentials In

Hi all, are there any alternatives to storing user credentials in /opt/trains/config/apiserver.conf ? We don't like that the credentials are stored in plaintext, anyone with access to the server could open this file and will have a copy of everyone's login credentials.

  
  
Posted 4 years ago
Votes Newest

Answers 24


FYI - this is also documented in None

  
  
Posted 3 years ago

Hi @<1687643893996195840:profile|RoundCat60> ,

Passwords should be encrypted before being stored

That's definitely an option (we had the same idea), however it would mean a more complex configuration procedure and might male it hard for less-savvy people to setup the server. Considering the fact that anyone with access to the server can basically access all data anyway, as @<1523701205467926528:profile|AgitatedDove14> said, having the passwords for the account encrypted won't make or break you protection 🙂 .
BTW - if you're using AWS EC2, you can easily use the AWS Secrets Manager to store this information.

  
  
Posted 4 years ago

Some ideas, not all directly related to this:

  • Passwords should be encrypted before being stored
  • A mechanism on the server application to add/remove users, avoiding having to SSH on to the server would be nice
  • Some level of permissions in the application would be nice - Admin/Owner/Viewer restrictions which would dictate would users can do and give finer control
  
  
Posted 4 years ago

Hi @<1687643893996195840:profile|RoundCat60>

anyone with access to the server

Is that a thing? If you have access to the server Not sure how "protected" you are even if using a key ring...
(unfortunately I do not think we support anything else, but what did you have in mind?

  
  
Posted 4 years ago

The configuration can be provided using a configuration file (like apiserver.conf or services.conf ), or provided to the server as an environment variable (every configuration setting can be set using an environment variable in the form TRAINS__<path__to__configuration__setting>=<configuration value, base type of HOCON configuration format> )

  
  
Posted 4 years ago

Hi @<1687653458951278592:profile|StrangeStork48> , the easiest way is to read Amazon's AWS docs regarding the Secrets Manager. Once you manage to use that, you can simply "inject" any values you require into config files or environment variables.

  
  
Posted 4 years ago

I’m interested to understand how we can use secrets manager for password storage. Do you have any documentation on this?

  
  
Posted 4 years ago

Ah ok, so you don’t support secrets manager per se, you’re suggesting we build our own auth system using it?

  
  
Posted 4 years ago

For example TRAINS__APISERVER__AUTH__FIXED_USERS={"enabled": true, "users": [{"username": "foo", "name": "Foo", "password": "bar"}]}

  
  
Posted 4 years ago

That's right 🙂

  
  
Posted 4 years ago

Do you have a roadmap which includes resolving things like this

Security SSO etc. is usually out of scope for the open-source platform as it really makes the entire thing a lot harder to install and manage. That said I know that on the Enterprise solution they do have SSO and LDAP support and probably way more security features. I hope it helps 🙂

  
  
Posted 4 years ago

Hi @<1687653458951278592:profile|StrangeStork48>

secrets manager per se,

Quick question, are you running the trains-server over http or https ?

  
  
Posted 4 years ago

Quick question, are you running the trains-server over http or https ?

We’d be using https in production

  
  
Posted 4 years ago

If you can reverse the hash you’re doing it wrong. A hashed password should be of no use to anyone, that’s the whole point. The application should only ever compare the hashed values of a password. This is basic application security.

  
  
Posted 4 years ago

We’d be using https in production

Nice 🙂
@<1687653458951278592:profile|StrangeStork48> , I was reading this thread trying to understand what exactly is the security concern/fear here, and I'm not sure I fully understand. Any chance you can elaborate ?

  
  
Posted 4 years ago

Assuming it was hashed, the seed would be stored on the same server, so knowing both would allow me the same access, no?

  
  
Posted 4 years ago

The concern is that user’s passwords are stored in plain text.

  
  
Posted 4 years ago

  • Set hashed passwords with  pass_hashed: true
  • Generate passwords using  python3 -c 'import bcrypt,base64; print(base64.b64encode(bcrypt.hashpw("password".encode(), bcrypt.gensalt())))'  (obviously, replace "password" with the actual password). The resulting b64 string should be placed in the password field for each user.
    For example, assuming your password is "123456":
  • bash:
> python3 -c 'import bcrypt,base64; print(base64.b64encode(bcrypt.hashpw("123456".encode(), bcrypt.gensalt())))'
b'JDJiJDEyJDk3OHBFcHFlNEsxTkFoZDlPcGZsbC5sU1pmM3huZ1RpeHc0ay5WUjlzTzN5WE1WRXJrUmhp'
  • In  apiserver.conf  :
# A list of fixed users
fixed_users {
  enabled: true
  pass_hashed: true
  users: [
    {
      username: "john"
      password: "JDJiJDEyJDk3OHBFcHFlNEsxTkFoZDlPcGZsbC5sU1pmM3huZ1RpeHc0ay5WUjlzTzN5WE1WRXJrUmhp"
      name: "john doe"
    }
  ]
}
  
  
Posted 3 years ago

Great news! Thanks Martin.

  
  
Posted 3 years ago

This seems to me quite a fundamental security issue. Do you have a roadmap which includes resolving things like this?

  
  
Posted 4 years ago

Hi @<1687653458951278592:profile|StrangeStork48>

  • Agreed,
  • Notice this user/pass is only used for the initial authentication, after that all authentication is done via a signed JWT tokenHow about a GitHub issue with the feature request, if there is enough interest (or someone jumps in offering implementation) we can push it forward. What do you think?
  
  
Posted 4 years ago

this would not solve the issue of server admins knowing everybody’s passwords would it?

  
  
Posted 4 years ago

Hi @<1687653458951278592:profile|StrangeStork48>
I have good news, v1.0 is out with hashed passwords support.

  
  
Posted 3 years ago

Thanks. Where is the configuration stored on the server? Currently we have deployed an EC2 instance using the marketplace AMI - if this demo is successful we would be looking at splitting the environment into the different AWS services - logging to S3, use of secrets manager, elasticsearch, redis, mongoDB etc

I've looked through the documentation, but didn't initially spot anything that would help with doing this (granted I may have overlooked something)

  
  
Posted 4 years ago
454 Views
24 Answers
4 years ago
7 months ago
Tags
Similar posts