From ef4f350438ec7465b5fd71aeda834c2a707b80b3 Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Mon, 13 May 2024 15:00:46 -0300 Subject: [PATCH] 21678: Passes credentials through conf file instead of env vars. To avoid leaking the token to the remote host process list, and also minimize the exposure on the local host, instead of passing the credentials through environment variables, we build a conf file that get piped to ssh via stdout/stdin. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- tools/salt-install/installer.sh | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh index a62a780032..9930fd7708 100755 --- a/tools/salt-install/installer.sh +++ b/tools/salt-install/installer.sh @@ -458,13 +458,27 @@ diagnostics-internal) exit 1 fi + export ARVADOS_API_HOST="${DOMAIN}:${CONTROLLER_EXT_SSL_PORT}" + export ARVADOS_API_TOKEN="$SYSTEM_ROOT_TOKEN" + # Pick the first shell node for test running declare TESTNODE=$(echo ${ROLE2NODES['shell']} | cut -d\, -f1) + declare SSH=$(ssh_cmd "$TESTNODE") + + # Set up credentials + declare CONFFILE=$(mktemp) + trap 'rm "$CONFFILE"' EXIT INT TERM QUIT + { + echo "ARVADOS_API_HOST=$ARVADOS_API_HOST" + echo "ARVADOS_API_TOKEN=$ARVADOS_API_TOKEN" + } > $CONFFILE + $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'mkdir -m 0700 -p ~/.config/arvados'" + cat $CONFFILE | $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'cat > ~/.config/arvados/settings.conf'" # Run diagnostics - declare SSH=$(ssh_cmd "$TESTNODE") - echo "Running diagnostics on $TESTNODE ..." - $SSH $DEPLOY_USER@$TESTNODE "sudo ARVADOS_API_HOST=${DOMAIN}:${CONTROLLER_EXT_SSL_PORT} ARVADOS_API_TOKEN=$SYSTEM_ROOT_TOKEN arvados-client diagnostics -internal-client" + echo "Running diagnostics in $TESTNODE..." + $SSH $DEPLOY_USER@$TESTNODE "sudo arvados-client diagnostics -internal-client" + ;; *) -- 2.30.2