The plan is here - https://openlmis.atlassian.net/wiki/display/OP/Make+Auth+dynamically+retrieve+list+of+registered+OpenLMIS+services
implement the plan
The auth bootstrap data here: https://github.com/OpenLMIS/openlmis-auth/blob/master/src/main/resources/db/migration/20170214123932959__initial_bootstrap_data.sql has sensitive "root access" credentials that will need to be generated for each implementation and should not be in public source control.
We need to make a plan on how this stuff will be refactored out of this file and done more securely and dynamically.
A plan document on how the above will be done (have Team ILL review/approve the Plan)
Either file a ticket for implementing this plan, or go ahead and implement it
Because this ticket says "make a plan", we need to evaluate. What is the security risk or importance if we don't do this for 3.0?
The security risk is small, as we would tell implementers to change the credentials for deployment, and since we are the implementer for Malawi, we will make sure to do that. We will need to do this, but we don't need to do it for 3.0; perhaps soon after 3.0.
I've set the service to fetch new data every minute (it also calls once immediately after start). Do you think this is fine, or shall we change this, or maybe make configurable?
Plase verify that this feature works, meaning:
When we register an another service in Consul, tagged as 'openlmis-service' (or whatever the .env setting says), auth automatically adds that to its OAuth2 clients resources (can check in database, or just try to connect with auth from that newly added service).
Same thing, when you remove a service, it should be reflected in clients' resources.
Services not tagged as 'openlmis-service' should be ignored.
NOTE: auth updates this each 60 seconds, so you might want to wait a minute before checking, since the changes may not be updated instantly.
I tested all issues described by and it worked correctly.