Use authentication when creating database

2015-09-15 19:35:20 +02:00
parent 2059c8356f
commit 31cefc9387
7 changed files with 24 additions and 12 deletions
--- a/README.md
+++ b/README.md
@@ -12,7 +12,6 @@ Official mongo plugin for dokku. Currently defaults to installing [mongo 3.0.6](
 ```
 cd /var/lib/dokku/plugins
 git clone https://github.com/dokku/dokku-mongo.git mongo
-dokku plugins-install-dependencies
 dokku plugins-install
 ```

@@ -65,7 +64,7 @@ dokku mongo:link lolipop playground

 # the above will expose the following environment variables
 #
-#   MONGO_URL=mongo://172.17.0.1:27017/lolipop
+#   MONGO_URL=mongo://l:PASSWORD@172.17.0.1:27017/lolipop
 #   MONGO_NAME=/lolipop/DATABASE
 #   MONGO_PORT=tcp://172.17.0.1:27017
 #   MONGO_PORT_27017_TCP=tcp://172.17.0.1:27017
--- a/17
+++ b/17
@@ -27,16 +27,22 @@ case "$1" in

    mkdir -p "$SERVICE_ROOT" || dokku_log_fail "Unable to create service directory"
    mkdir -p "$SERVICE_ROOT/data" || dokku_log_fail "Unable to create service data directory"
+    rootpassword=$(openssl rand -hex 16)
+    password=$(openssl rand -hex 16)
+    echo "$rootpassword" > "$SERVICE_ROOT/ROOTPASSWORD"
+    echo "$password" > "$SERVICE_ROOT/PASSWORD"
    touch "$LINKS_FILE"

    dokku_log_info1 "Starting container"
    SERVICE_NAME=$(get_service_name "$SERVICE")
-    ID=$(docker run --name "$SERVICE_NAME" -v "$SERVICE_ROOT/data:/data" -d --restart always --label dokku=service --label dokku.service=mongo "$PLUGIN_IMAGE:$PLUGIN_IMAGE_VERSION" mongod --storageEngine wiredTiger)
+    ID=$(docker run --name "$SERVICE_NAME" -v "$SERVICE_ROOT/data:/data" -d --restart always --label dokku=service --label dokku.service=mongo "$PLUGIN_IMAGE:$PLUGIN_IMAGE_VERSION" mongod --storageEngine wiredTiger --auth)
    echo "$ID" > "$SERVICE_ROOT/ID"

    dokku_log_verbose_quiet "Waiting for container to be ready"
    docker run --rm --link "$SERVICE_NAME:$PLUGIN_COMMAND_PREFIX" aanand/wait > /dev/null

+    echo "db.createUser({user:'admin',pwd:'$rootpassword',roles:[{role:'userAdminAnyDatabase',db:'admin'}]})" | docker exec -i "$SERVICE_NAME" mongo admin > /dev/null
+    echo "db.createUser({user:'$SERVICE',pwd:'$password',roles:[{role:'readWrite',db:'$SERVICE'}]})" | docker exec -i "$SERVICE_NAME" mongo -u admin -p "$rootpassword" --authenticationDatabase admin "$SERVICE" > /dev/null
    dokku_log_info2 "$PLUGIN_SERVICE container created: $SERVICE"
    dokku "$PLUGIN_COMMAND_PREFIX:info" "$SERVICE"
    ;;
@@ -103,8 +109,9 @@ case "$1" in
    verify_service_name "$2"
    SERVICE="$2"; SERVICE_ROOT="$PLUGIN_DATA_ROOT/$SERVICE"
    SERVICE_NAME="$(get_service_name "$SERVICE")"
+    PASSWORD="$(cat "$SERVICE_ROOT/PASSWORD")"

-    docker exec "$SERVICE_NAME" bash -c "DIR=\$(mktemp -d) && mongodump -d $SERVICE -o=\"\$DIR\" && tar cf - -C \"\$DIR\" . && rm -rf \"\$DIR\""
+    docker exec "$SERVICE_NAME" bash -c "DIR=\$(mktemp -d) && mongodump -d $SERVICE -o=\"\$DIR\" -u \"$SERVICE\" -p \"$PASSWORD\" --authenticationDatabase \"$SERVICE\" && tar cf - -C \"\$DIR\" . && rm -rf \"\$DIR\""
    ;;

  $PLUGIN_COMMAND_PREFIX:import)
@@ -112,11 +119,12 @@ case "$1" in
    verify_service_name "$2"
    SERVICE="$2"; SERVICE_ROOT="$PLUGIN_DATA_ROOT/$SERVICE"
    SERVICE_NAME="$(get_service_name "$SERVICE")"
+    PASSWORD="$(cat "$SERVICE_ROOT/PASSWORD")"

    if [[ -t 0 ]]; then
      dokku_log_fail "No data provided on stdin."
    fi
-    docker exec -i "$SERVICE_NAME" bash -c "DIR=\$(mktemp -d) && tar xf - -C \"\$DIR\" && mongorestore -d $SERVICE \$(find \"\$DIR\" -mindepth 1 -maxdepth 1 -type d | head -n1) && rm -rf \"\$DIR\""
+    docker exec -i "$SERVICE_NAME" bash -c "DIR=\$(mktemp -d) && tar xf - -C \"\$DIR\" && mongorestore -d $SERVICE -u \"$SERVICE\" -p \"$PASSWORD\" --authenticationDatabase \"$SERVICE\" \$(find \"\$DIR\" -mindepth 1 -maxdepth 1 -type d | head -n1) && rm -rf \"\$DIR\""
    ;;

  $PLUGIN_COMMAND_PREFIX:logs)
@@ -150,8 +158,9 @@ case "$1" in
    verify_service_name "$2"
    SERVICE="$2"; SERVICE_ROOT="$PLUGIN_DATA_ROOT/$SERVICE"
    SERVICE_NAME="$(get_service_name "$SERVICE")"
+    PASSWORD="$(cat "$SERVICE_ROOT/PASSWORD")"

-    docker exec -it "$SERVICE_NAME" mongo "$SERVICE"
+    docker exec -it "$SERVICE_NAME" mongo -u "$SERVICE" -p "$PASSWORD" --authenticationDatabase "$SERVICE" "$SERVICE"
    ;;

  $PLUGIN_COMMAND_PREFIX:info)
--- a/4
+++ b/4
@@ -247,10 +247,10 @@ service_unlink() {
 service_url() {
  local SERVICE="$1"
  local SERVICE_ROOT="$PLUGIN_DATA_ROOT/$SERVICE"
-
  local ID="$(cat "$SERVICE_ROOT/ID")"
  local IP="$(get_container_ip "$ID")"
-  echo "$PLUGIN_SCHEME://$IP:${PLUGIN_DATASTORE_PORTS[0]}/$SERVICE"
+  local PASSWORD="$(cat "$SERVICE_ROOT/PASSWORD")"
+  echo "$PLUGIN_SCHEME://$SERVICE:$PASSWORD@$IP:${PLUGIN_DATASTORE_PORTS[0]}/$SERVICE"
 }

 is_container_status () {
--- a/tests/service_connect.bats
+++ b/tests/service_connect.bats
@@ -24,6 +24,7 @@ teardown() {
@test "($PLUGIN_COMMAND_PREFIX:connect) success" {
  export ECHO_DOCKER_COMMAND="true"
  run dokku "$PLUGIN_COMMAND_PREFIX:connect" l
-  assert_output 'docker exec -it dokku.mongo.l mongo l'
+  password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
+  assert_output "docker exec -it dokku.mongo.l mongo -u l -p $password --authenticationDatabase l l"
 }

--- a/tests/service_export.bats
+++ b/tests/service_export.bats
@@ -24,6 +24,7 @@ teardown() {
@test "($PLUGIN_COMMAND_PREFIX:export) success" {
  export ECHO_DOCKER_COMMAND="true"
  run dokku "$PLUGIN_COMMAND_PREFIX:export" l
-  assert_output "docker exec dokku.mongo.l bash -c DIR=\$(mktemp -d) && mongodump -d l -o=\"\$DIR\" && tar cf - -C \"\$DIR\" . && rm -rf \"\$DIR\""
+  password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
+  assert_output "docker exec dokku.mongo.l bash -c DIR=\$(mktemp -d) && mongodump -d l -o=\"\$DIR\" -u \"l\" -p \"$password\" --authenticationDatabase \"l\" && tar cf - -C \"\$DIR\" . && rm -rf \"\$DIR\""
 }

--- a/tests/service_import.bats
+++ b/tests/service_import.bats
@@ -31,6 +31,7 @@ teardown() {
@test "($PLUGIN_COMMAND_PREFIX:import) success" {
  export ECHO_DOCKER_COMMAND="true"
  run dokku "$PLUGIN_COMMAND_PREFIX:import" l < "$PLUGIN_DATA_ROOT/fake.dump.tar"
-  assert_output "docker exec -i dokku.mongo.l bash -c DIR=\$(mktemp -d) && tar xf - -C \"\$DIR\" && mongorestore -d l \$(find \"\$DIR\" -mindepth 1 -maxdepth 1 -type d | head -n1) && rm -rf \"\$DIR\""
+  password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
+  assert_output "docker exec -i dokku.mongo.l bash -c DIR=\$(mktemp -d) && tar xf - -C \"\$DIR\" && mongorestore -d l -u \"l\" -p \"$password\" --authenticationDatabase \"l\" \$(find \"\$DIR\" -mindepth 1 -maxdepth 1 -type d | head -n1) && rm -rf \"\$DIR\""
 }

--- a/tests/service_info.bats
+++ b/tests/service_info.bats
@@ -21,5 +21,6 @@ teardown() {

@test "($PLUGIN_COMMAND_PREFIX:info) success" {
  run dokku "$PLUGIN_COMMAND_PREFIX:info" l
-  assert_contains "${lines[*]}" "DSN: mongodb://172.17.0.34:27017/l"
+  password="$(cat "$PLUGIN_DATA_ROOT/l/PASSWORD")"
+  assert_contains "${lines[*]}" "DSN: mongodb://l:$password@172.17.0.34:27017/l"
 }