This is an automated email from the ASF dual-hosted git repository.
dimas pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git
The following commit(s) were added to refs/heads/main by this push:
new 929726c3e security(getting-started): enforce stronger postgres
password and restrict database access (#3570)
929726c3e is described below
commit 929726c3e37bc8af7863e35bf670c2c43258369e
Author: Pierre Laporte <[email protected]>
AuthorDate: Tue Feb 3 01:21:51 2026 +0100
security(getting-started): enforce stronger postgres password and restrict
database access (#3570)
* security(getting-started): enforce strong postgres passwords and restrict
database access
- Add POSTGRES_PASSWORD environment variable to specify the Postgres
database password.
- Add validation to reject weak default "postgres" password.
- Generate random 16-character password if POSTGRES_PASSWORD is not
provided.
- Replace all hardcoded "postgres" password references with
$POSTGRES_PASSWORD variable.
- Restrict Azure PostgreSQL access to VM's public IP using
`--public-access` flag. This aligns security posture across AWS
(VPC-only), Azure (IP-restricted), and GCP (authorized-networks)
- Update documentation site to describe the POSTGRES_PASSWORD
environment variable.
---
getting-started/assets/cloud_providers/deploy-aws.sh | 15 +++++++++++++--
getting-started/assets/cloud_providers/deploy-azure.sh | 18 ++++++++++++++++--
getting-started/assets/cloud_providers/deploy-gcp.sh | 15 +++++++++++++--
.../deploying-polaris/cloud-deploy/deploy-aws.md | 12 ++++++++++++
.../deploying-polaris/cloud-deploy/deploy-azure.md | 12 ++++++++++++
.../deploying-polaris/cloud-deploy/deploy-gcp.md | 12 ++++++++++++
6 files changed, 78 insertions(+), 6 deletions(-)
diff --git a/getting-started/assets/cloud_providers/deploy-aws.sh
b/getting-started/assets/cloud_providers/deploy-aws.sh
index 70ef64ada..a6fea1de1 100755
--- a/getting-started/assets/cloud_providers/deploy-aws.sh
+++ b/getting-started/assets/cloud_providers/deploy-aws.sh
@@ -17,6 +17,17 @@
# under the License.
#
+# Handle POSTGRES_PASSWORD validation and generation
+if [ "$POSTGRES_PASSWORD" = "postgres" ]; then
+ echo "ERROR: Using 'postgres' as the database password is not allowed.
Please set the environment variable POSTGRES_PASSWORD to a strong password."
+ exit 1
+elif [ -z "$POSTGRES_PASSWORD" ]; then
+ POSTGRES_PASSWORD=$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)
+ echo "WARNING: POSTGRES_PASSWORD not provided. Generated random password:
$POSTGRES_PASSWORD"
+else
+ echo "INFO: Using provided POSTGRES_PASSWORD"
+fi
+
EC2_INSTANCE_ID=$(cat /var/lib/cloud/data/instance-id)
DESCRIBE_INSTANCE=$(aws ec2 describe-instances \
@@ -50,7 +61,7 @@ DB_INSTANCE_INFO=$(aws rds create-db-instance \
--db-instance-class db.t3.micro \
--engine postgres \
--master-username postgres \
- --master-user-password postgres \
+ --master-user-password "$POSTGRES_PASSWORD" \
--db-name POLARIS \
--db-subnet-group-name $SUBNET_GROUP_NAME \
--allocated-storage 10)
@@ -69,7 +80,7 @@ done
POSTGRES_ADDR=$(echo $DESCRIBE_DB | jq -r '.["DBInstances"][0]["Endpoint"]' |
jq -r '"\(.Address):\(.Port)"')
export QUARKUS_DATASOURCE_JDBC_URL=$(printf '%s'
"jdbc:postgresql://$POSTGRES_ADDR/POLARIS")
export QUARKUS_DATASOURCE_USERNAME=postgres
-export QUARKUS_DATASOURCE_PASSWORD=postgres
+export QUARKUS_DATASOURCE_PASSWORD="$POSTGRES_PASSWORD"
echo $QUARKUS_DATASOURCE_JDBC_URL
S3_BUCKET_NAME="polaris-quickstart-s3-$RANDOM_SUFFIX"
diff --git a/getting-started/assets/cloud_providers/deploy-azure.sh
b/getting-started/assets/cloud_providers/deploy-azure.sh
index 6dfe9a569..99f60015e 100755
--- a/getting-started/assets/cloud_providers/deploy-azure.sh
+++ b/getting-started/assets/cloud_providers/deploy-azure.sh
@@ -17,6 +17,17 @@
# under the License.
#
+# Handle POSTGRES_PASSWORD validation and generation
+if [ "$POSTGRES_PASSWORD" = "postgres" ]; then
+ echo "ERROR: Using 'postgres' as the database password is not allowed.
Please set the environment variable POSTGRES_PASSWORD to a strong password."
+ exit 1
+elif [ -z "$POSTGRES_PASSWORD" ]; then
+ POSTGRES_PASSWORD=$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)
+ echo "WARNING: POSTGRES_PASSWORD not provided. Generated random password:
$POSTGRES_PASSWORD"
+else
+ echo "INFO: Using provided POSTGRES_PASSWORD"
+fi
+
DESCRIBE_INSTANCE=$(curl -H Metadata:true
"http://169.254.169.254/metadata/instance?api-version=2021-02-01";)
CURRENT_RESOURCE_GROUP=$(echo $DESCRIBE_INSTANCE | jq -r
'.compute.resourceGroupName')
CURRENT_REGION=$(echo $DESCRIBE_INSTANCE | jq -r '.compute.location')
@@ -24,14 +35,17 @@ CURRENT_VM_NAME=$(echo $DESCRIBE_INSTANCE | jq -r
'.compute.name')
RANDOM_SUFFIX=$(head /dev/urandom | tr -dc 'a-z0-9' | head -c 8)
INSTANCE_NAME="polaris-backend-test-$RANDOM_SUFFIX"
-CREATE_DB_RESPONSE=$(az postgres flexible-server create -l $CURRENT_REGION -g
$CURRENT_RESOURCE_GROUP -n $INSTANCE_NAME -u postgres -p postgres -y)
+# Get the VM's public IP to restrict database access
+INSTANCE_IP=$(az vm list-ip-addresses --name $CURRENT_VM_NAME --resource-group
$CURRENT_RESOURCE_GROUP --query
"[0].virtualMachine.network.publicIpAddresses[0].ipAddress" -o tsv)
+
+CREATE_DB_RESPONSE=$(az postgres flexible-server create -l $CURRENT_REGION -g
$CURRENT_RESOURCE_GROUP -n $INSTANCE_NAME -u postgres -p "$POSTGRES_PASSWORD"
--public-access $INSTANCE_IP -y)
az postgres flexible-server db create -g $CURRENT_RESOURCE_GROUP -s
$INSTANCE_NAME -d POLARIS
POSTGRES_ADDR=$(echo $CREATE_DB_RESPONSE | jq -r '.host')
export QUARKUS_DATASOURCE_JDBC_URL=$(printf '%s'
"jdbc:postgresql://$POSTGRES_ADDR/POLARIS")
export QUARKUS_DATASOURCE_USERNAME=postgres
-export QUARKUS_DATASOURCE_PASSWORD=postgres
+export QUARKUS_DATASOURCE_PASSWORD="$POSTGRES_PASSWORD"
echo $QUARKUS_DATASOURCE_JDBC_URL
STORAGE_ACCOUNT_NAME="polaristest$RANDOM_SUFFIX"
diff --git a/getting-started/assets/cloud_providers/deploy-gcp.sh
b/getting-started/assets/cloud_providers/deploy-gcp.sh
index 51a62e392..f4fb45762 100755
--- a/getting-started/assets/cloud_providers/deploy-gcp.sh
+++ b/getting-started/assets/cloud_providers/deploy-gcp.sh
@@ -17,6 +17,17 @@
# under the License.
#
+# Handle POSTGRES_PASSWORD validation and generation
+if [ "$POSTGRES_PASSWORD" = "postgres" ]; then
+ echo "ERROR: Using 'postgres' as the database password is not allowed.
Please set the environment variable POSTGRES_PASSWORD to a strong password."
+ exit 1
+elif [ -z "$POSTGRES_PASSWORD" ]; then
+ POSTGRES_PASSWORD=$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 16)
+ echo "WARNING: POSTGRES_PASSWORD not provided. Generated random password:
$POSTGRES_PASSWORD"
+else
+ echo "INFO: Using provided POSTGRES_PASSWORD"
+fi
+
CURRENT_ZONE=$(curl -H "Metadata-Flavor: Google"
"http://169.254.169.254/computeMetadata/v1/instance/zone"; | awk -F/ '{print
$NF}')
CURRENT_REGION=$(echo $CURRENT_ZONE | sed 's/-[a-z]$//')
VM_INSTANCE_NAME=$(curl -H "Metadata-Flavor: Google"
"http://169.254.169.254/computeMetadata/v1/instance/name";)
@@ -31,14 +42,14 @@ gcloud sql instances create $DB_INSTANCE_NAME \
--region=$CURRENT_REGION \
--tier=db-perf-optimized-N-4 \
--edition=ENTERPRISE_PLUS \
- --root-password=postgres \
+ --root-password="$POSTGRES_PASSWORD" \
--authorized-networks="$INSTANCE_IP/32"
gcloud sql databases create POLARIS --instance=$DB_INSTANCE_NAME
export QUARKUS_DATASOURCE_JDBC_URL=$(printf '%s'
"jdbc:postgresql://$POSTGRES_ADDR/POLARIS")
export QUARKUS_DATASOURCE_USERNAME=postgres
-export QUARKUS_DATASOURCE_PASSWORD=postgres
+export QUARKUS_DATASOURCE_PASSWORD="$POSTGRES_PASSWORD"
echo $QUARKUS_DATASOURCE_JDBC_URL
GCS_BUCKET_NAME="polaris-test-gcs-$RANDOM_SUFFIX"
diff --git
a/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-aws.md
b/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-aws.md
index 452deb2f5..694c061bc 100644
---
a/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-aws.md
+++
b/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-aws.md
@@ -40,9 +40,21 @@ The requirements to run the script below are:
export ASSETS_PATH=$(pwd)/getting-started/assets/
export CLIENT_ID=root
export CLIENT_SECRET=s3cr3t
+export POSTGRES_PASSWORD=your_secure_password # Optional: If not set, a
random password will be generated
./getting-started/assets/cloud_providers/deploy-aws.sh
```
+### Environment Variables
+
+The deployment script accepts the following environment variables:
+
+* **`ASSETS_PATH`** (required): Path to the getting-started assets directory
+* **`CLIENT_ID`** (required): Client ID for Polaris authentication
+* **`CLIENT_SECRET`** (required): Client secret for Polaris authentication
+* **`POSTGRES_PASSWORD`** (optional): Password for the PostgreSQL database
+ * If not provided, a random 16-character password will be automatically
generated and will be displayed in the script output
+ * Cannot be set to `postgres` for security reasons
+
## Next Steps
Congrats, you now have a running instance of Polaris! For further information
regarding how to use Polaris,
check out the [Creating a Catalog]({{% ref "../../creating-a-catalog" %}}) and
diff --git
a/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-azure.md
b/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-azure.md
index ddb401168..10087e3f3 100644
---
a/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-azure.md
+++
b/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-azure.md
@@ -35,9 +35,21 @@ The requirements to run the script below are:
export ASSETS_PATH=$(pwd)/getting-started/assets/
export CLIENT_ID=root
export CLIENT_SECRET=s3cr3t
+export POSTGRES_PASSWORD=your_secure_password # Optional: If not set, a
random password will be generated
./getting-started/assets/cloud_providers/deploy-azure.sh
```
+### Environment Variables
+
+The deployment script accepts the following environment variables:
+
+* **`ASSETS_PATH`** (required): Path to the getting-started assets directory
+* **`CLIENT_ID`** (required): Client ID for Polaris authentication
+* **`CLIENT_SECRET`** (required): Client secret for Polaris authentication
+* **`POSTGRES_PASSWORD`** (optional): Password for the PostgreSQL database
+ * If not provided, a random 16-character password will be automatically
generated and will be displayed in the script output
+ * Cannot be set to `postgres` for security reasons
+
## Next Steps
Congrats, you now have a running instance of Polaris! For further information
regarding how to use Polaris,
check out the [Creating a Catalog]({{% ref "../../creating-a-catalog" %}}) and
diff --git
a/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-gcp.md
b/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-gcp.md
index ca40a1544..742d715c6 100644
---
a/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-gcp.md
+++
b/site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-gcp.md
@@ -35,9 +35,21 @@ The requirements to run the script below are:
export ASSETS_PATH=$(pwd)/getting-started/assets/
export CLIENT_ID=root
export CLIENT_SECRET=s3cr3t
+export POSTGRES_PASSWORD=your_secure_password # Optional: If not set, a
random password will be generated
./getting-started/assets/cloud_providers/deploy-gcp.sh
```
+### Environment Variables
+
+The deployment script accepts the following environment variables:
+
+* **`ASSETS_PATH`** (required): Path to the getting-started assets directory
+* **`CLIENT_ID`** (required): Client ID for Polaris authentication
+* **`CLIENT_SECRET`** (required): Client secret for Polaris authentication
+* **`POSTGRES_PASSWORD`** (optional): Password for the PostgreSQL database
+ * If not provided, a random 16-character password will be automatically
generated and will be displayed in the script output
+ * Cannot be set to `postgres` for security reasons
+
## Next Steps
Congrats, you now have a running instance of Polaris! For further information
regarding how to use Polaris,
check out the [Creating a Catalog]({{% ref "../../creating-a-catalog" %}}) and
