Details
-
Bug
-
Resolution: Done
-
Critical
-
7.1.0.Final, 7.1.1.Final
-
None
Description
CommonAttributes.CLUSTER_PASSWORD needs to support expressions, so its value can be vault encoded and the encoded value can be resolved against the vault at runtime.
Recommend changing:
SimpleAttributeDefinition CLUSTER_PASSWORD = new SimpleAttributeDefinition("cluster-password",
new ModelNode().set(ConfigurationImpl.DEFAULT_CLUSTER_PASSWORD), ModelType.STRING, true,
AttributeAccess.Flag.RESTART_ALL_SERVICES);
to
SimpleAttributeDefinition CLUSTER_PASSWORD = new SimpleAttributeDefinitionBuilder("cluster-password", ModelType.STRING, true)
.setAllowExpression(true)
.setDefaultValue(new ModelNode(ConfigurationImpl.DEFAULT_CLUSTER_PASSWORD))
.setRestartAllServices()
.build();
A similar change should be made to CLUSTER_USER, not so much so the value can be read from the vault, but rather so a system property can be used, e.g. <cluster-user>${some.user.property}</cluster-user>
I recommend looking at all the other config attributes and adding expression support where it makes sense. It's a must though for any password or other security sensitive value that users won't want stored in plain text.
