Refactor credentials from auth bootstrap data

Description

New Description:
The plan is here - https://openlmis.atlassian.net/wiki/display/OP/Make+Auth+dynamically+retrieve+list+of+registered+OpenLMIS+services

Acceptance Criteria

  • implement the plan

Old Description

The auth bootstrap data here: https://github.com/OpenLMIS/openlmis-auth/blob/master/src/main/resources/db/migration/20170214123932959__initial_bootstrap_data.sql has sensitive "root access" credentials that will need to be generated for each implementation and should not be in public source control.

We need to make a plan on how this stuff will be refactored out of this file and done more securely and dynamically.

Acceptance criteria

  • A plan document on how the above will be done (have Team ILL review/approve the Plan)

  • Either file a ticket for implementing this plan, or go ahead and implement it

Activity

Show:
Brandon Bowersox-Johnson
February 8, 2017, 7:34 PM

Because this ticket says "make a plan", we need to evaluate. What is the security risk or importance if we don't do this for 3.0?

Chongsun Ahn
February 8, 2017, 9:54 PM

The security risk is small, as we would tell implementers to change the credentials for deployment, and since we are the implementer for Malawi, we will make sure to do that. We will need to do this, but we don't need to do it for 3.0; perhaps soon after 3.0.

Paweł Nawrocki
June 26, 2017, 3:45 PM
Edited

I've set the service to fetch new data every minute (it also calls once immediately after start). Do you think this is fine, or shall we change this, or maybe make configurable?

Paweł Nawrocki
June 27, 2017, 9:05 AM
Edited

Plase verify that this feature works, meaning:

  • When we register an another service in Consul, tagged as 'openlmis-service' (or whatever the .env setting says), auth automatically adds that to its OAuth2 clients resources (can check in database, or just try to connect with auth from that newly added service).

  • Same thing, when you remove a service, it should be reflected in clients' resources.

  • Services not tagged as 'openlmis-service' should be ignored.

NOTE: auth updates this each 60 seconds, so you might want to wait a minute before checking, since the changes may not be updated instantly.

Lucyna Laska
June 27, 2017, 12:24 PM

I tested all issues described by and it worked correctly.

Done

Assignee

Paweł Nawrocki

Reporter

Chongsun Ahn

Labels

None

Story Points

3

Time tracking

0m

Time remaining

7h 30m

Components

Sprint

None

Fix versions

Priority

Major