diff --git a/README.md b/README.md index 90fb8c7..653410a 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,8 @@ For detailed instructions on deploying Neurobagel for your use case, see the off cp local_nb_nodes.template.json local_nb_nodes.json ``` - Ensure to edit the configuration file(s) according to your deployment. + Ensure to edit the [configuration file(s)](https://neurobagel.org/config/) according to your deployment. + **We strongly recommend changing the default passwords for your GraphDB instance, which are set using `NB_GRAPH_ADMIN_PASSWORD.txt` and `NB_GRAPH_PASSWORD.txt` in the ./secrets subdirectory by default.** :warning: **Note**: You **must** change the value of the `NB_API_QUERY_URL` variable in the `.env` file before you can launch any service stack that includes a query tool (i.e., `full_stack`, `local_federation`). See comments in the `.env` file for more information. diff --git a/docker-compose.yml b/docker-compose.yml index c24fe88..568cc71 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -79,9 +79,9 @@ services: secrets: db_admin_password: - environment: "NB_GRAPH_ADMIN_PASSWORD" + file: ${NB_GRAPH_SECRETS_PATH:-./secrets}/NB_GRAPH_ADMIN_PASSWORD.txt db_user_password: - environment: "NB_GRAPH_PASSWORD" + file: ${NB_GRAPH_SECRETS_PATH:-./secrets}/NB_GRAPH_PASSWORD.txt volumes: graphdb_home: diff --git a/docs/neurobagel_environment_variables.tsv b/docs/neurobagel_environment_variables.tsv index 9076d8f..9f9e2c0 100644 --- a/docs/neurobagel_environment_variables.tsv +++ b/docs/neurobagel_environment_variables.tsv @@ -1,10 +1,9 @@ -Environment variable Set manually in .env? Description Default value if not set Used in these installation modes -`NB_GRAPH_ADMIN_PASSWORD` Yes Secure password to set for the admin user. - Docker +Environment variable Customization recommended? Description Default value if not set Used in these installation modes `NB_GRAPH_USERNAME` Yes Username to set for the graph database user. - Docker, Python -`NB_GRAPH_PASSWORD` Yes Secure password to set for the graph database user. - Docker, Python +`NB_GRAPH_SECRETS_PATH` Yes Path to files containing the secure passwords to set for the admin user (NB_GRAPH_ADMIN_PASSWORD.txt) and graph database user (NB_GRAPH_PASSWORD.txt). `./secrets` Docker `NB_GRAPH_DB` Yes Name to give your graph database (e.g., for a GraphDB database, use the format `repositories/{database_name}`) `repositories/my_db` Docker, Python `LOCAL_GRAPH_DATA` Yes Path on your filesystem to the JSONLD files you want to upload to the graph database `./data` Docker -`NB_API_ALLOWED_ORIGINS` Yes, if using a frontend query tool ‡ Origins allowed to make cross-origin resource sharing requests. Multiple origins must be separated with spaces in a single string enclosed in quotes. See ‡ for more info "`""""`" Docker, Python +`NB_API_ALLOWED_ORIGINS` Yes, if using a frontend query tool Origins allowed to make cross-origin resource sharing requests. Multiple origins must be separated with spaces in a single string enclosed in quotes. "`""""`" Docker, Python `NB_API_QUERY_URL` Yes URL (and port number, if needed) of the Neurobagel API that the query tool will send its requests to. The query tool sends requests from a user's machine, so ensure the API URL is provided *as a user would access it from their own machine*. See also the [query tool README](https://github.com/neurobagel/query-tool?tab=readme-ov-file#set-the-environment-variables). - Docker `NB_RETURN_AGG` Yes Whether to return only aggregate, dataset-level query results (excluding subject/session-level attributes). One of [true, false] `true` Docker, Python `NB_NAPI_TAG` No Docker image tag for the Neurobagel node API `latest` Docker @@ -16,5 +15,5 @@ Environment variable Set manually in .env? Description Default value if not set `NB_QUERY_PORT_HOST` No Port number used by the `query_tool` on the host machine `3000` Docker `NB_FEDERATE_REMOTE_PUBLIC_NODES` Yes If "True", include public nodes in federation. If "False", only locally specified nodes in `local_nb_nodes.json` are queried. `true` Docker, Python `NB_QUERY_APP_BASE_PATH` No The URL path for the query tool, determines the specific URL at which the app should be rendered for users to access it `/` Docker -`NB_ENABLE_AUTH` Yes **(Experimental, for dev deployments only)** Whether to enable authentication for cohort queries. One of [true, false] `false` Docker, Python -`NB_QUERY_CLIENT_ID` Yes **(Experimental, for dev deployments only)** OAuth client ID for the query tool. Required if NB_ENABLE_AUTH is set to true. - Docker, Python \ No newline at end of file +`NB_ENABLE_AUTH` No **(Experimental, for dev deployments only)** Whether to enable authentication for cohort queries. One of [true, false] `false` Docker, Python +`NB_QUERY_CLIENT_ID` No **(Experimental, for dev deployments only)** OAuth client ID for the query tool. Required if NB_ENABLE_AUTH is set to true. - Docker, Python \ No newline at end of file diff --git a/scripts/setup.sh b/scripts/setup.sh index 18cca8f..b801294 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -3,6 +3,17 @@ /opt/graphdb/dist/bin/graphdb -Dgraphdb.home=/opt/graphdb/home & GRAPHDB_PID=$! +# If secrets files are empty (meaning passwords have not been set or password file paths are incorrect), error out and exit +if [[ ! -f /run/secrets/db_admin_password || ! -s /run/secrets/db_admin_password ]]; then + echo -e "Error: NB_GRAPH_ADMIN_PASSWORD secret is missing or empty. Please ensure that {NB_GRAPH_SECRETS_PATH}/NB_GRAPH_ADMIN_PASSWORD.txt exists and is not empty.\nExiting." + exit 1 +fi + +if [[ ! -f /run/secrets/db_user_password || ! -s /run/secrets/db_user_password ]]; then + echo -e "Error: NB_GRAPH_PASSWORD secret is missing or empty. Please ensure that {NB_GRAPH_SECRETS_PATH}/NB_GRAPH_PASSWORD.txt exists and is not empty.\nExiting." + exit 1 +fi + # TODO revisit/test this also once we document how users can change (in addition to the data files being uploaded) the variables to set up a non-tester database after a first-time deployment export NB_GRAPH_ADMIN_PASSWORD=$(cat /run/secrets/db_admin_password) export NB_GRAPH_PASSWORD=$(cat /run/secrets/db_user_password) diff --git a/secrets/NB_GRAPH_ADMIN_PASSWORD.txt b/secrets/NB_GRAPH_ADMIN_PASSWORD.txt new file mode 100644 index 0000000..814c180 --- /dev/null +++ b/secrets/NB_GRAPH_ADMIN_PASSWORD.txt @@ -0,0 +1 @@ +ADMINPASSWORD \ No newline at end of file diff --git a/secrets/NB_GRAPH_PASSWORD.txt b/secrets/NB_GRAPH_PASSWORD.txt new file mode 100644 index 0000000..3b56fe1 --- /dev/null +++ b/secrets/NB_GRAPH_PASSWORD.txt @@ -0,0 +1 @@ +DBPASSWORD \ No newline at end of file diff --git a/template.env b/template.env index 6aacc9b..772e1a7 100644 --- a/template.env +++ b/template.env @@ -18,12 +18,8 @@ COMPOSE_PROJECT_NAME=neurobagel_node # ---- CONFIGURATION FOR graph ---- -# Replace ADMINPASSWORD with the secure password you want to set for the admin user -NB_GRAPH_ADMIN_PASSWORD=ADMINPASSWORD # Replace DBUSER with the username you want to set for your graph database user NB_GRAPH_USERNAME=DBUSER -# Replace DBPASSWORD with the secure password you want to set for the created database user -NB_GRAPH_PASSWORD=DBPASSWORD # Replace my_db with the name you want to give your graph database NB_GRAPH_DB=repositories/my_db # Replace ./data with the path to your JSONLD files @@ -32,6 +28,9 @@ LOCAL_GRAPH_DATA=./data # Additional configurable parameters - uncomment to change the defaults # Change NB_GRAPH_PORT_HOST if port 7200 is already in use on the machine # NB_GRAPH_PORT_HOST=7200 +# Replace ./secrets with the directory path containing the text files with your desired +# secure passwords for GraphDB (NB_GRAPH_ADMIN_PASSWORD.txt and NB_GRAPH_PASSWORD.txt) +# NB_GRAPH_SECRETS_PATH=./secrets # --------------------------------- # ---- CONFIGURATION FOR n-API ----