A property file sounds fine to me, my concern was with passing a raw password as a command line arg. That being said, if we can obviate the need for a password... even better.
On Tue, Sep 16, 2014 at 10:54 AM, Maxim Khutornenko <ma...@apache.org> wrote: > +1 on the command-line approach. There was a bit of a debate around it > when it was proposed for the framework auth but its simplicity > outweighed potential security concerns. > > On Tue, Sep 16, 2014 at 10:34 AM, Kevin Sweeney <kevi...@apache.org> > wrote: > > There's precedent to take secrets as a properties file on the > command-line > > (-framework_authentication_file), my vote is that we follow that. > > > > On Tue, Sep 16, 2014 at 10:17 AM, Joshua Cohen > <jco...@twitter.com.invalid> > > wrote: > > > >> Providing the password directly via the command line seems like it > would be > >> a security issue (anyone who can `ps` on the box could see the > password?). > >> Is there something I'm missing? Would it be possible (and if so, would > it > >> be desirable?) to start up the web console as a user who only has read > >> access to the database? If we're only worried about someone tinkering > with > >> the data, but not worried about locking down read access that might be a > >> cleaner solution. > >> > >> On Tue, Sep 16, 2014 at 9:58 AM, Bill Farner <wfar...@apache.org> > wrote: > >> > >> > Since beginning migration of the internal database to H2, i've wanted > to > >> > include the H2 web console [1] as a means for debugging the internal > >> > scheduler state. If we do that, we need to password-protect the > database > >> > to prevent unauthorized tinkering. > >> > > >> > Does anybody have a preference for where the scheduler gets that > >> password? > >> > The obvious choices are directly on the command line, or from a file > >> > referenced on the command line. However, i'm open to ideas i haven't > >> > thought of. > >> > > >> > [1] http://www.h2database.com/html/quickstart.html#h2_console > >> > (ignore the windows/launching instructions - we will embed it as a > >> servlet) > >> > > >> > > >> > -=Bill > >> > > >> >
