Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Storing and accessing credentials (e.g. database logins) as actinia user #398

Open
ninsbl opened this issue Dec 14, 2022 · 3 comments
Open

Comments

@ninsbl
Copy link
Collaborator

ninsbl commented Dec 14, 2022

Is there already a way to securely store and access e.g. database credentials as an actinia user?

When data is to be fetched from or exported to external databases, one needs some form of storing login credentials for actinia users.
Maybe also credential for data portals, if they are supposed to be accessed userspecific...

It does not seem right to include credentials in API calls in plain text.

One option I could imagine is that a user may upload an encrypted keepass file that in itself is secured (and later accessed) with the actinia password. In actinia credentials could be fetched with e.g. https://pypi.org/project/pykeepass/

But I am no security expert and maybe that is also a terrible idea with regards to security?

@ninsbl
Copy link
Collaborator Author

ninsbl commented Dec 16, 2022

Now I wrote a function to transfer entries in a KeePass database file into environment variables, that again could be used to authenticate users at data sources services / databases.

import os
def keepass_to_env(
    keepass_file, keepass_pwd, title, username_var, password_var, first=True
):
    from pykeepass import PyKeePass

    kp = PyKeePass(keepass_file, password=keepass_pwd)
    entry = kp.find_entries(title=title, first=first)
    os.environ[username_var] = entry.username
    os.environ[password_var] = entry.password
    return None

For use in actinia modules, two questions remain:

  1. how to securely transfer and store the KeePass file to actinia / user data area and
  2. how to unlock the KeePass file with the actinia password (assuming that it is used to protect the KeePass file)...

Another approach could be bitwarden (that could be connected to KeyCloak if I understood correctly)...

@ninsbl
Copy link
Collaborator Author

ninsbl commented Jan 24, 2023

Apache Airflow (also a Python based web app) supports different external backends, like e.g. the Hashicorp Vault for secrets management.
See: https://github.com/apache/airflow/tree/main/airflow/providers/hashicorp/secrets for inspiration on how secrets backends are implemented in Airflow.
Hashicorp Vault is an Open Source project and could even be bundled with actinia (at least in theory). It also powers secrets handling in GitHub actions. Would be cool if secrets could be stored in Vault and then accessed like in GitHub actions with a specific kind of string (${{ secrets.SENTINELHUB_AUTH_TOKEN }}).

Without external secrets backends, Airflow stores credentials as encrypted strings in a PostgreSQL database. Such a solution could possibly be a first approach for actinia too...

Just collecting some ideas....

@mmacata
Copy link
Member

mmacata commented Jun 15, 2023

We discussed internally and came to the conclusion that a tresor/vault file should be used, e.g. with KeyPass (see Python examples). The key of the file would then be an environment variable or docker secret. The Password itself should be better stored in actinia. The vault file is created by the user and follows a naming convention with his actinia user name in the filename. The file can then be uploaded.

Further hints for implementation:

  • In- and outputs of GRASS GIS modules in logs must not be passwords!
  • actinia importer might need to be adjusted - manage password access and e.g. i.sentinel.import cannot be used as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants