On Thu, Oct 3, 2019 at 9:48 AM Ganesh Murthy <gmur...@redhat.com> wrote:
> Hello All, > The router has an attribute called password in the sslProfile entity. > In version 1.2, this attribute was deprecated in favor of the passwordFile > attribute where you specify the absolute path of the file containing the > password. It is good practice to not put the plain text password directly > in the router config file. > > In the password field or in the file containing the password, you could add > prefixes like env: and literal: and follow it with an environment variable > containing the password or a literal password respectively. > > To simplify all this, I am proposing that we deprecate the passeordFile > field and consolidate all password scenarios to use the password field. We > will use the password options that openssl > <https://www.openssl.org/docs/man1.1.1/man1/openssl.html> uses (see Pass > Phrase Options sections). Just to clarify my understanding: The openssl implementation also supports the prefixes "fd:" and the value "stdin". I'm assuming the router would not support these, correct? I'm not asking for "fd:" or "stdin" to be supported btw. Just want to be sure. > Going forward, here are three ways to specify a > password in an sslProfile > > sslProfile { > caCertFile: ..... > certFile: ..... > # Get the password from the environment variable TLS_SERVER_PASSWORD. > Note the env: prefix > *password: env:TLS_SERVER_PASSWORD * > OR > # Get the password from the absolute file path. Note the file: prefix > *password: file:/home/tls/password-file.txt * > OR > # Specify the actual password. Note the pass: prefix > *password: pass:actual_password * > } > > While you can still specify the actual password in the password field using > the pass: prefix, which casual users might want to do, you are also able to > specify the file path or environment variable for more robust security. > > This change will be backward compatible which means, you will still be able > to specify the actual password in the password field without the pass: > prefix. The passwordFile field will be deprecated and eventually removed > when we to a major version. > > Will "literal:" be deprecated in favor of "pass:" then? > Please let me know your thoughts. > > Thanks. > -- -K
