pingtimeout opened a new pull request, #3570: URL: https://github.com/apache/polaris/pull/3570
This is not really a security issue in the codebase. More of an improvement on the getting started. The getting started guide for Azure exposes a database to the entire internet, which is a problem considering that the default username and password for Postgres are used. This PR includes the following changes: - Add POSTGRES_PASSWORD environment variable to specify the Postgres database password. - Add validation to reject weak default "postgres" password. - Generate random 16-character password if POSTGRES_PASSWORD is not provided. - Replace all hardcoded "postgres" password references with $POSTGRES_PASSWORD variable. - Restrict Azure PostgreSQL access to VM's public IP using `--public-access` flag. This aligns security posture across AWS (VPC-only), Azure (IP-restricted), and GCP (authorized-networks) - Update documentation site to describe the POSTGRES_PASSWORD environment variable. ## Checklist - [x] ๐ก๏ธ Don't disclose security issues! (contact [email protected]) - [x] ๐ Clearly explained why the changes are needed, or linked related issues: Fixes # - [x] ๐งช Added/updated tests with good coverage, or manually tested (and explained how) - [ ] ๐ก Added comments for complex logic - [ ] ๐งพ Updated `CHANGELOG.md` (if needed) - [x] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
