zrhoffman opened a new issue, #7202: URL: https://github.com/apache/trafficcontrol/issues/7202
<!-- ************ STOP!! ************ If this issue identifies a security vulnerability, DO NOT submit it! Instead, contact the Apache Traffic Control Security Team at [email protected] and follow the guidelines at https://apache.org/security regarding vulnerability disclosure. - For *SUPPORT QUESTIONS*, use the #traffic-control channel on the ASF slack (https://s.apache.org/tc-slack-request) or the Traffic Control Users mailing list (send an email to [email protected] to subscribe). - Before submitting, please **SEARCH GITHUB** for a similar issue or PR * https://github.com/apache/trafficcontrol/issues * https://github.com/apache/trafficcontrol/pulls --> <!-- Do not submit security vulnerabilities or support requests here - see above --> ## This Improvement request (usability, performance, tech debt, etc.) affects these Traffic Control components: <!-- delete all those that don't apply --> - Traffic Ops ## Current behavior: <!-- Describe how the current features are insufficient. --> The Traffic Ops `db/admin` tool relies on the `postgres` user requiring no password when connecting as root. https://github.com/apache/trafficcontrol/blob/02b9f0444cdee24dd14c0be852b276415d5468c0/traffic_ops/app/db/admin.go#L307 #7142, which made Traffic Ops run as a non-root user, set `PGPASSWORD` for the entire binary, which worked for Dev CDN in a Box because the password in `dbconf.yml`, which this strategy set `PGPASSWORD` to, https://github.com/apache/trafficcontrol/blob/02b9f0444cdee24dd14c0be852b276415d5468c0/dev/traffic_ops/dbconf.yml#L21 happened to be `"twelve12"`, the same password set for the `postgres` user of the Postgres server. https://github.com/apache/trafficcontrol/blob/02b9f0444cdee24dd14c0be852b276415d5468c0/docker-compose.yml#L46 However, once #7142 was merge, the Cache Config integration tests started failing, because its `postgres` user password https://github.com/apache/trafficcontrol/blob/02b9f0444cdee24dd14c0be852b276415d5468c0/cache-config/testing/docker/variables.env#L31 is different than its `traffic_ops` password (which ends up in `dbconf.yml`). https://github.com/apache/trafficcontrol/blob/02b9f0444cdee24dd14c0be852b276415d5468c0/cache-config/testing/docker/variables.env#L35-L36 https://github.com/apache/trafficcontrol/blob/02b9f0444cdee24dd14c0be852b276415d5468c0/cache-config/testing/docker/traffic_ops/run.sh#L98 We reverted the change to `db/admin` from #7142 in #7198 to make the Cache Config integration tests pass again without knowing, at the time, why that change made them fail. As a side note, find the reason the Cache Config integration tests were failing was not straightforward because the errors go only to a file that is not printed to the `to_server` container's output anywhere. https://github.com/apache/trafficcontrol/blob/02b9f0444cdee24dd14c0be852b276415d5468c0/cache-config/testing/docker/traffic_ops/run.sh#L144-L145 ## New behavior: <!-- Describe how this change would improve Traffic Control --> - `db/admin` should not depend on the `postgres` user requiring no password when the connecting client is the `root` user locally. - In CDN in a Box for Developers, the `postgres` password should not be the same as the `traffic_ops` password, because that potentially hides issues like this one. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
