New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config: Read secrets from file #2302
base: develop
Are you sure you want to change the base?
Conversation
This would be very helpful for NixOS. The package does already exist, but no module has been created yet. |
… feature/secrets-from-file
…to feature/secrets-from-file
…to feature/secrets-from-file
Note that PhotoPrism already supports reading pretty much all config values from files, which is now also well documented in our official Getting Started guide: |
From my understanding this isn't needed as you can use an |
I assume that this PR should provide the ability to map secrets from the docker host as files in a container and in this case it should be 1 plain text file per secret, which is not the case with configs. |
@kkovaletp Thanks for your remarks! If this is something that a few of our users need, and @petertrr still wants us to merge it, I'm happy to reopen it. However, I'm still not sure what the impact of this is e.g. what additional security this actually provides, as a complex web application like ours offers many more potential attack vectors, some of which might be much easier to exploit... Having an overly long list of config options and too many different ways to set a password can be a security issue in itself? 🤔 |
@lastzero As I mentioned in the discussion of #1987, I think that security and privacy should be the default, but also I assume that most users do not open the service for Internet access (maybe I'm wrong) and for that users, it makes sense to provide simple and easy setup with secrets in env. vars. If choosing between different secure setups, I'd vote for the secrets manager, as it provides the best possible level of secrets protection, but it is up to you to decide. Yes, adding a new method of providing secrets will increase complexity. But from my perspective, it is not a reason to not have any relatively secure one. What could be done here, is making a review of all available methods to make sure you don't have any obsolete and not actively used (or not adding any value to the product, so that could be safely replaced by other existing ones). Then, it is a key point to provide clear documentation for all supported use cases:
But again, this is my opinion and it is up to you to decide. |
Since this is part of the core functionality, our biggest concern is that we have to test this several times a month before each release when only a handful of users actually use it. How about we merge and add it as a hidden flag (so as not to confuse users who follow our simple examples) when this PR gets 20 thumbs up? It currently has 4 👍 |
I have just 1 question, as I'm not an expert in Go: |
It is a best practice to automatically close files when the function that reads them returns: func () {
f.Open()
defer f.Close()
doSomething()
return
} Of course, there are exceptions, such as when you keep log files open for writing. However, a common attack vector is reading sensitive information from memory. Direct access may seem difficult, but most servers have a swap file configured, so you could read passwords from there as well. Thus, if you focus on just one aspect, the overall security might not be increased significantly.
Should we proceed with merging, there will be a security review that takes additional time. That's why I want to make sure we really need this.
I agree, this is a common problem and should not be underestimated. |
Perhaps as an additional explanation: When running the app in a Kubernetes or Docker Swarm cluster, secrets are the only/best way to maintain and manage such configurations securely in a centralized location. |
I think another benefit of this is that you can store the configuration in git without exposing any passwords. |
This PR adds support to read admin password and database password from a file. After all configuration options are loaded from environment, CLI and yaml configs, if
admin-password-file
and/ordatabase-password-file
are set, these settings are read from the files.Closes #1987
Acceptance Criteria:
User interface changes are fully responsive and have been tested on all major browsers and various devicesNo UI changesDatabase-related changes are compatible with SQLite and MariaDBNo changes in DBTranslations have been / will be updated (specify if needed)No changes in texts