diff --git a/.gitignore b/.gitignore index 60a3634a0f..a851cd02bd 100644 --- a/.gitignore +++ b/.gitignore @@ -19,7 +19,7 @@ cmd/core-command/core-command cmd/core-data/core-data cmd/core-metadata/core-metadata cmd/security-proxy-setup/security-proxy-setup -cmd/security-file-token-provider/* +cmd/security-file-token-provider/security-file-token-provider cmd/security-secrets-setup/config/* cmd/security-secrets-setup/security-secrets-setup cmd/security-secretstore-setup/security-secretstore-setup diff --git a/cmd/security-file-token-provider/res/token-config.json b/cmd/security-file-token-provider/res/token-config.json index 7828d992c2..6146b6346b 100644 --- a/cmd/security-file-token-provider/res/token-config.json +++ b/cmd/security-file-token-provider/res/token-config.json @@ -3,12 +3,6 @@ "edgex_use_defaults": true, "custom_policy": { "path": { - "secret/edgex/metadata/mongodb": { - "capabilities": [ - "list", - "read" - ] - }, "secret/edgex/metadata/redisdb": { "capabilities": [ "list", @@ -22,12 +16,6 @@ "edgex_use_defaults": true, "custom_policy": { "path": { - "secret/edgex/coredata/mongodb": { - "capabilities": [ - "list", - "read" - ] - }, "secret/edgex/coredata/redisdb": { "capabilities": [ "list", @@ -41,12 +29,6 @@ "edgex_use_defaults": true, "custom_policy": { "path": { - "secret/edgex/metadata/mongodb": { - "capabilities": [ - "list", - "read" - ] - }, "secret/edgex/metadata/redisdb": { "capabilities": [ "list", @@ -56,19 +38,6 @@ } } }, - "edgex-mongo": { - "edgex_use_defaults": true, - "custom_policy": { - "path": { - "secret/edgex/mongo/*": { - "capabilities": [ - "list", - "read" - ] - } - } - } - }, "edgex-security-bootstrap-redis": { "edgex_use_defaults": true, "custom_policy": { @@ -82,29 +51,10 @@ } } }, - "edgex-support-logging": { - "edgex_use_defaults": true, - "custom_policy": { - "path": { - "secret/edgex/logging/mongodb": { - "capabilities": [ - "list", - "read" - ] - } - } - } - }, "edgex-support-notifications": { "edgex_use_defaults": true, "custom_policy": { "path": { - "secret/edgex/notifications/mongodb": { - "capabilities": [ - "list", - "read" - ] - }, "secret/edgex/notifications/redisdb": { "capabilities": [ "list", @@ -114,35 +64,10 @@ } } }, - "edgex-support-rulesengine": { - "edgex_use_defaults": true, - "custom_policy": { - "path": { - "secret/edgex/rulesengine/mongodb": { - "capabilities": [ - "list", - "read" - ] - }, - "secret/edgex/rulesengine/redisdb": { - "capabilities": [ - "list", - "read" - ] - } - } - } - }, "edgex-application-service": { "edgex_use_defaults": true, "custom_policy": { "path": { - "secret/edgex/appservice/mongodb": { - "capabilities": [ - "list", - "read" - ] - }, "secret/edgex/appservice/redisdb": { "capabilities": [ "list", @@ -159,12 +84,6 @@ "edgex_use_defaults": true, "custom_policy": { "path": { - "secret/edgex/scheduler/mongodb": { - "capabilities": [ - "list", - "read" - ] - }, "secret/edgex/scheduler/redisdb": { "capabilities": [ "list", @@ -187,15 +106,6 @@ "delete" ] }, - "secret/edgex/mongo/*": { - "capabilities": [ - "list", - "read", - "create", - "update", - "delete" - ] - }, "secret/edgex/redis/*": { "capabilities": [ "list", @@ -214,4 +124,4 @@ "edgex-security-file-token-provider": { "edgex_use_defaults": true } -} \ No newline at end of file +} diff --git a/internal/security/secretstore/init.go b/internal/security/secretstore/init.go index e92d38dd90..a55e9c2a91 100644 --- a/internal/security/secretstore/init.go +++ b/internal/security/secretstore/init.go @@ -295,18 +295,17 @@ func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ s // continue credential creation - // A little note on why there are two secrets paths. For each microservice, the username/password - // is uploaded to the vault on both /v1/secret/edgex/%s/mongodb and /v1/secret/edgex/mongo/%s). - // The go-mod-secrets client requires a Path property to prefix all secrets. docker-edgex-mongo - // uses that - // (https://github.com/edgexfoundry/docker-edgex-mongo/blob/master/cmd/res/configuration.toml) in - // order to enumerate the users and passwords when setting up the initial database authentication. - // So edgex/%s/mongodb is for the microservices (microservices are restricted to their specific - // edgex/%s), and edgex/mongo/* is enumerated by docker-edgex-mongo to initialize the database. + // A little note on why there are two secrets paths. For each microservice, the + // username/password is uploaded to the vault on both /v1/secret/edgex/%s/redisdb and + // /v1/secret/edgex/redisdb/%s). The go-mod-secrets client requires a Path property to prefix all + // secrets. + // So edgex/%s/redisdb is for the microservices (microservices are restricted to their specific + // edgex/%s), and edgex/redisdb/* is enumerated to initialize the database. // // The Redis implementation parallels the existing Mongo code but until the update for Redis 6, // there is only a single Redis password. // + // Redis 5.x only supports a single shared password. When Redis 6 is released, this can be updated // to a per service password. @@ -320,39 +319,17 @@ func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ s Password: redis5Password, } - for dbname, info := range configuration.Databases { + for _, info := range configuration.Databases { service := info.Service - // generate credentials - password, err := cred.GeneratePassword(ctx) - if err != nil { - lc.Error(fmt.Sprintf("failed to generate credential pair for service %s", service)) - os.Exit(1) - } - pair := UserPasswordPair{ - User: info.Username, - Password: password, - } // add credentials to service path if specified and they're not already there if len(service) != 0 { - err = addServiceCredential(lc, "mongodb", cred, service, pair) - if err != nil { - lc.Error(err.Error()) - os.Exit(1) - } - err = addServiceCredential(lc, "redisdb", cred, service, redis5Pair) if err != nil { lc.Error(err.Error()) os.Exit(1) } } - - err = addDBCredential(lc, "mongo", cred, dbname, pair) - if err != nil { - lc.Error(err.Error()) - os.Exit(1) - } } // security-bootstrap-redis uses the path /v1/secret/edgex/bootstrap-redis/ and go-mod-bootstrap