grouper-users - Re: [grouper-users] Containerized Grouper and Secrets
Subject: Grouper Users - Open Discussion List
List archive
- From: John Gasper <>
- To: John Schrader <>, Jack Stewart <>
- Cc: "Hyzer, Chris" <>, Christopher Hubing <>, "" <>, csp study grouper <>
- Subject: Re: [grouper-users] Containerized Grouper and Secrets
- Date: Mon, 07 May 2018 09:21:55 -0700
- Ironport-phdr: 9a23:abHohRIRpK5dzyHUYtmcpTZWNBhigK39O0sv0rFitYgXKvX6rarrMEGX3/hxlliBBdydt6ofzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlGiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARWdZUMlfWTFPDIOiYYUMAeoOP+lXoJXmqlQUsRe+ABOhCP/1xzJKgHL9wK000/4mEQHDxAEuG9UOsHTSrN7oNakdS/u1zLHWwjXZcvhb3jX96IfSfRA6ufGDQ6hwfNHMyUkpFgPKklKQqYr/MzOTyOsNr3GW4ux9XuyhjG4nrht+ojmpxso0l4nJnIYVxkrf9SV82Io1PsC4SEhlbt6nDpRQsyWaOJVsQs84Xm5ouz42xacDuZGhfSkKz5InywTDZPyAdoiE+hPjVOCNIThmnnJlfqywhwqs/US61OLzS9S03E5SriVfidnMrX4M1xvJ6seaUPd95UKh1S6U1w/N9u5EO147lbbAK54k2LEwkIAcsUvdES/sgkn2lrGZeV859eSw5OTnY6nmpp+BN4BvkA3xLqMumsmnDeQlKQgBQXKb+eKm273m40L1Wq5Kjvgwn6LEs57aPdwWq662DgNP0Isv9gyzAyqm3dkZh3ULMkxJdROfg4XoOVzCOu30Aeqjj1i2jjtn2vLLMqf8DpjDMHTOlqrqc6xn5E5G0gUzyMhS55JKBbEFJ/L+Qk7wtN3dDhAiKQy72fzrCMh71oMfRW2PBamZPLnUsVCW+uIjO+iMZIkLtzbhM/Uo5/HjgWU7lFMAZ6WlwJsaZXGiEvh4PUmUYGLggtIbHmcLugo+QvbqiFqHUTNLZXayULgz5iojCI24F4fOXZ2tgLqA3CinGZ1WYHpKClaSHnf0b4mEQesDaDqOIs99lTwJTaSuS4881R61tQ/6zbVnI/HV+i0eqZLsysJ15+vNmhEu6zB4FdqS3HyQT2tshGMHWyc23LxjoUx60lqD3rJ4g/tFFdxL+fxJSB42NYPHz+NkEdDyQRnMftOISFa9XtWmGi89Qsgww98If0ZyBc+ijhbd0Cq2HbMZjaKEC4Ep8vGU43+kBcF9zT7936k7hlUrWIMbF2qmgOhE/AjJDoLEiW2fm+CneblKmGbv/WyAhVGSsV5RShI4BaDHRmwSeWPLqNXy5gXPQ6L4Wpo9NQ4U68mCLONlY8bxgE8OEPXsMc/GbniZhmGxDhGOgLWBcNy5KC0mwCzBBR1cwEgo9nGcOF17X3/5rg==
I’m back… There’s one more option that I just learned about. It requires a more recent version of Docker Engine and be using Swarm mode, but Docker Secrets and Configs supports templating. You can basically set the file to something like this: hibernate.connection.password = {{ secret “grouper_db_password” }} You save the config file as a Docker config, but do it like so: docker config create --template-driver golang grouper.hibernate.properties ./grouper.hibernate.properties This tells Docker that before it publishes the config file into the running container, grouper.hibernate.properties, needs to run through the golang merge/template process. Now save the password string as a Docker Secret named grouper_db_password. Then when you create your service you just map your secrets like normal and the password will be provided in the config. Unfortunately the functionality is so new that there isn’t a lot of documentation on it, but this blog entry does talk about it some more: https://blog.sunekeller.dk/docker-18-03-config-and-secret-templating/
From: <> on behalf of John Gasper <> Hey all, Sorry, I’m late to this party. I’ve got a few tidbits to share that might be beneficial to you or others in the future. (And John that’s great info about the AWS SecretsManager) One of the TIER requirements was to be able to read in password from an env parameter or from a file specified by env parameter. This doesn’t necessarily make sense for Grouper since we have to customize the property files anyways, but I’ve got some examples in the image source’s test directory: Two examples of the EL code: And applying it using both methods: https://github.internet2.edu/docker/grouper/blob/master/test-compose/docker-compose.yml#L46-L47 If you were going with this method, I’d pick the one that is appropriate and just use that chunk, but it’s your env do as you want. 😊 Also, I’m working on some videos showing how to use the TIER Grouper image in Docker Swarm. I’m waiting for approval of the videos and then I’ll post about them on the list, but all of the step-by-step source material is here and shows how to use Docker Secrets: https://github.com/Unicon/tier-grouper-deployment. Using this method, the sensitive files and env specific config files are managed by Swarm. This has the upside of being able to run “docker service rollback XXX” and it switches configs/secrets to the previous config. (It’s actually pretty cool to call rollback several times and watch it switch your service back to the image/config several versions ago.) Of course you can always use morphStrings to store your passwords, and mount them however you want to, and reference those locations in the properties file. I’d probably still manage the files with “docker config” since you’ll likely use databases and data sources that are different between test and prod. If the files are the same, then I’d just manage them as project source that gets backed into the image. OK, my two cents.
From: <> on behalf of John Schrader <> This is a great conversation.. For those of us running in AWS cloud, AWS has released "SecretsManager" [1] SecretsManager opens up some interesting possibilities for both EC2 instances and containers(tasks) running in ECS. As a POC, I've created an elConfig class (thanks to Chris for the capability) that retrieves values for hibernate properties: hibernate.connection.url.sm.elConfig = ${edu.internet2.middleware.grouperClient.config.SecretsManagerElClass.getSecret('/grouper/dev','url')} hibernate.connection.url = $$hibernate.connection.url.sm$$ hibernate.connection.username.sm.elConfig = ${edu.internet2.middleware.grouperClient.config.SecretsManagerElClass.getSecret('/grouper/dev','username')} hibernate.connection.username = $$hibernate.connection.username.sm$$ hibernate.connection.password.sm.elConfig = ${edu.internet2.middleware.grouperClient.config.SecretsManagerElClass.getSecret('/grouper/dev','password')} hibernate.connection.password = $$hibernate.connection.password.sm$$ from SecretsManager. Read/Decrypt access to the `/grouper/dev` secret is controlled by the role associated with an EC2 instance or ECS task. Using a role helps with the initial credential bootstrapping and allows for immutability. -John On Thu, Apr 26, 2018 at 1:27 PM, Jack Stewart <> wrote:
-- John Schrader Identity and Access Management Office of Information Technologies University of Notre Dame EVERYTHING SHOULD BE MADE AS SIMPLE AS POSSIBLE, BUT NOT ANY SIMPLER —ALBERT EINSTEIN |
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/01/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/07/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 05/08/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/10/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 05/10/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/10/2018
- Re: [grouper-users] Containerized Grouper and Secrets, Jack Stewart, 05/08/2018
- Re: [grouper-users] Containerized Grouper and Secrets, John Gasper, 05/07/2018
Archive powered by MHonArc 2.6.19.