21678: Passes credentials through conf file instead of env vars.

To avoid leaking the token to the remote host process list, and also
minimize the exposure on the local host, instead of passing the credentials
through environment variables, we build a conf file that get piped to ssh
via stdout/stdin.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>

diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index a62a780032ca2b9531e139e39acc4d37e3d0ca20..9930fd7708a8a8f315b4a97f79a6125ea7062bc9 100755 (executable)
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -458,13 +458,27 @@ diagnostics-internal)
     exit 1
   fi
 
+  export ARVADOS_API_HOST="${DOMAIN}:${CONTROLLER_EXT_SSL_PORT}"
+  export ARVADOS_API_TOKEN="$SYSTEM_ROOT_TOKEN"
+
   # Pick the first shell node for test running
   declare TESTNODE=$(echo ${ROLE2NODES['shell']} | cut -d\, -f1)
+  declare SSH=$(ssh_cmd "$TESTNODE")
+
+  # Set up credentials
+  declare CONFFILE=$(mktemp)
+  trap 'rm "$CONFFILE"' EXIT INT TERM QUIT
+  {
+    echo "ARVADOS_API_HOST=$ARVADOS_API_HOST"
+    echo "ARVADOS_API_TOKEN=$ARVADOS_API_TOKEN"
+  } > $CONFFILE
+  $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'mkdir -m 0700 -p ~/.config/arvados'"
+  cat $CONFFILE | $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'cat > ~/.config/arvados/settings.conf'"
 
   # Run diagnostics
-  declare SSH=$(ssh_cmd "$TESTNODE")
-  echo "Running diagnostics on $TESTNODE ..."
-  $SSH $DEPLOY_USER@$TESTNODE "sudo ARVADOS_API_HOST=${DOMAIN}:${CONTROLLER_EXT_SSL_PORT} ARVADOS_API_TOKEN=$SYSTEM_ROOT_TOKEN arvados-client diagnostics -internal-client"
+  echo "Running diagnostics in $TESTNODE..."
+  $SSH $DEPLOY_USER@$TESTNODE "sudo arvados-client diagnostics -internal-client"
+
   ;;
 
 *)