[REF] Create GraphDB password secrets from .txt files instead of env …

…variables (#84) * create GraphDB secrets from files rather than env vars * replace password env vars w/ secrets dir path * add placeholder secrets directory + files * update README * add NB_GRAPH_SECRETS_PATH to docker-compose.yml * add check in entrypoint that secrets are files and not empty
neurobagel · Sep 25, 2024 · 788247b · 788247b
1 parent 2a27db2
commit 788247b
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,8 @@ For detailed instructions on deploying Neurobagel for your use case, see the off
     cp local_nb_nodes.template.json local_nb_nodes.json
     ```
 
-    Ensure to edit the configuration file(s) according to your deployment.
+    Ensure to edit the [configuration file(s)](https://neurobagel.org/config/) according to your deployment.
+    **We strongly recommend changing the default passwords for your GraphDB instance, which are set using `NB_GRAPH_ADMIN_PASSWORD.txt` and `NB_GRAPH_PASSWORD.txt` in the ./secrets subdirectory by default.**
 
     :warning: **Note**: You **must** change the value of the `NB_API_QUERY_URL` variable in the `.env` file before you can launch any service stack that includes a query tool (i.e., `full_stack`, `local_federation`). 
 See comments in the `.env` file for more information.

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -79,9 +79,9 @@ services:
 
 secrets:
   db_admin_password:
-    environment: "NB_GRAPH_ADMIN_PASSWORD"
+    file: ${NB_GRAPH_SECRETS_PATH:-./secrets}/NB_GRAPH_ADMIN_PASSWORD.txt
   db_user_password:
-    environment: "NB_GRAPH_PASSWORD"
+    file: ${NB_GRAPH_SECRETS_PATH:-./secrets}/NB_GRAPH_PASSWORD.txt
 
 volumes:
   graphdb_home:
diff --git a/docs/neurobagel_environment_variables.tsv b/docs/neurobagel_environment_variables.tsv
@@ -1,10 +1,9 @@
-Environment variable	Set manually in .env?	Description	Default value if not set	Used in these installation modes
-`NB_GRAPH_ADMIN_PASSWORD`	Yes	Secure password to set for the admin user.	-	Docker
+Environment variable	Customization recommended?	Description	Default value if not set	Used in these installation modes
 `NB_GRAPH_USERNAME`	Yes	Username to set for the graph database user.	-	Docker, Python
-`NB_GRAPH_PASSWORD`	Yes	Secure password to set for the graph database user.	-	Docker, Python
+`NB_GRAPH_SECRETS_PATH`	Yes	Path to files containing the secure passwords to set for the admin user (NB_GRAPH_ADMIN_PASSWORD.txt) and graph database user (NB_GRAPH_PASSWORD.txt).	`./secrets`	Docker
 `NB_GRAPH_DB`	Yes	Name to give your graph database (e.g., for a GraphDB database, use the format `repositories/{database_name}`)	`repositories/my_db`	Docker, Python
 `LOCAL_GRAPH_DATA`	Yes	Path on your filesystem to the JSONLD files you want to upload to the graph database	`./data`	Docker
-`NB_API_ALLOWED_ORIGINS`	Yes, if using a frontend query tool ‡	Origins allowed to make cross-origin resource sharing requests. Multiple origins must be separated with spaces in a single string enclosed in quotes. See ‡ for more info	"`""""`"	Docker, Python
+`NB_API_ALLOWED_ORIGINS`	Yes, if using a frontend query tool	Origins allowed to make cross-origin resource sharing requests. Multiple origins must be separated with spaces in a single string enclosed in quotes.	"`""""`"	Docker, Python
 `NB_API_QUERY_URL`	Yes	URL (and port number, if needed) of the Neurobagel API that the query tool will send its requests to. The query tool sends requests from a user's machine, so ensure the API URL is provided *as a user would access it from their own machine*. See also the [query tool README](https://github.com/neurobagel/query-tool?tab=readme-ov-file#set-the-environment-variables).	-	Docker
 `NB_RETURN_AGG`	Yes	Whether to return only aggregate, dataset-level query results (excluding subject/session-level attributes). One of [true, false]	`true`	Docker, Python
 `NB_NAPI_TAG`	No	Docker image tag for the Neurobagel node API	`latest`	Docker
@@ -16,5 +15,5 @@ Environment variable	Set manually in .env?	Description	Default value if not set
 `NB_QUERY_PORT_HOST`	No	Port number used by the `query_tool` on the host machine	`3000`	Docker
 `NB_FEDERATE_REMOTE_PUBLIC_NODES`	Yes 	If "True", include public nodes in federation. If "False", only locally specified nodes in `local_nb_nodes.json` are queried.	`true`	Docker, Python
 `NB_QUERY_APP_BASE_PATH`	No	The URL path for the query tool, determines the specific URL at which the app should be rendered for users to access it	`/`	Docker
-`NB_ENABLE_AUTH`	Yes	**(Experimental, for dev deployments only)** Whether to enable authentication for cohort queries. One of [true, false]	`false`	Docker, Python
-`NB_QUERY_CLIENT_ID`	Yes	**(Experimental, for dev deployments only)** OAuth client ID for the query tool. Required if NB_ENABLE_AUTH is set to true.	-	Docker, Python
+`NB_ENABLE_AUTH`	No	**(Experimental, for dev deployments only)** Whether to enable authentication for cohort queries. One of [true, false]	`false`	Docker, Python
+`NB_QUERY_CLIENT_ID`	No	**(Experimental, for dev deployments only)** OAuth client ID for the query tool. Required if NB_ENABLE_AUTH is set to true.	-	Docker, Python
diff --git a/scripts/setup.sh b/scripts/setup.sh
@@ -3,6 +3,17 @@
 /opt/graphdb/dist/bin/graphdb -Dgraphdb.home=/opt/graphdb/home &
 GRAPHDB_PID=$!
 
+# If secrets files are empty (meaning passwords have not been set or password file paths are incorrect), error out and exit
+if [[ ! -f /run/secrets/db_admin_password || ! -s /run/secrets/db_admin_password ]]; then
+    echo -e "Error: NB_GRAPH_ADMIN_PASSWORD secret is missing or empty. Please ensure that {NB_GRAPH_SECRETS_PATH}/NB_GRAPH_ADMIN_PASSWORD.txt exists and is not empty.\nExiting."
+    exit 1
+fi
+
+if [[ ! -f /run/secrets/db_user_password || ! -s /run/secrets/db_user_password ]]; then
+    echo -e "Error: NB_GRAPH_PASSWORD secret is missing or empty. Please ensure that {NB_GRAPH_SECRETS_PATH}/NB_GRAPH_PASSWORD.txt exists and is not empty.\nExiting."
+    exit 1
+fi
+
 # TODO revisit/test this also once we document how users can change (in addition to the data files being uploaded) the variables to set up a non-tester database after a first-time deployment
 export NB_GRAPH_ADMIN_PASSWORD=$(cat /run/secrets/db_admin_password)
 export NB_GRAPH_PASSWORD=$(cat /run/secrets/db_user_password)

diff --git a/secrets/NB_GRAPH_ADMIN_PASSWORD.txt b/secrets/NB_GRAPH_ADMIN_PASSWORD.txt
@@ -0,0 +1 @@
+ADMINPASSWORD
diff --git a/secrets/NB_GRAPH_PASSWORD.txt b/secrets/NB_GRAPH_PASSWORD.txt
@@ -0,0 +1 @@
+DBPASSWORD
diff --git a/template.env b/template.env
@@ -18,12 +18,8 @@
 COMPOSE_PROJECT_NAME=neurobagel_node
 
 # ---- CONFIGURATION FOR graph ----
-# Replace ADMINPASSWORD with the secure password you want to set for the admin user
-NB_GRAPH_ADMIN_PASSWORD=ADMINPASSWORD
 # Replace DBUSER with the username you want to set for your graph database user
 NB_GRAPH_USERNAME=DBUSER
-# Replace DBPASSWORD with the secure password you want to set for the created database user
-NB_GRAPH_PASSWORD=DBPASSWORD
 # Replace my_db with the name you want to give your graph database
 NB_GRAPH_DB=repositories/my_db
 # Replace ./data with the path to your JSONLD files
@@ -32,6 +28,9 @@ LOCAL_GRAPH_DATA=./data
 # Additional configurable parameters - uncomment to change the defaults
 # Change NB_GRAPH_PORT_HOST if port 7200 is already in use on the machine
 # NB_GRAPH_PORT_HOST=7200
+# Replace ./secrets with the directory path containing the text files with your desired 
+# secure passwords for GraphDB (NB_GRAPH_ADMIN_PASSWORD.txt and NB_GRAPH_PASSWORD.txt)
+# NB_GRAPH_SECRETS_PATH=./secrets
 # ---------------------------------
 
 # ---- CONFIGURATION FOR n-API ----