Is there a way to avoid storing passwords, such as the database password, readable in the
env.sh file? For example:
This is a common server administration problem and is solved as needed by the administrators. The
/etc/okera/env.sh is read by default by the Deployment Manager process when it starts. But you are not limited to that. In fact, you can set the environment variables any other way, as long as they are available to the Deployment Manager when it starts.
There are quite a few ways of setting variables differently, for example, using an interactive prompt:
$ IFS= read -rs PW < /dev/tty
$ export OKERA_DB_PASSWORD="$PW"
The first command reads the interactive input from the command line and stores it into a variable called "PW". The second command exports the value so that the Deployment Manager can pick it up.
Another option is to set the permissions of the
/etc/okera/env.sh file so that only the current user, which is the one running the Deployment Manager process, is allowed to read it:
$ chmod 500 /etc/okera/env.sh
You can also move just the sensitive variables into such a locked down file, and source it before you start the Deployment Manager.
$ touch ~/okera.sh
$ chmod 500 ~/okera.sh
$ echo "export OKERA_DB_USERNAME=\"user123\"" >> ~/okera.sh
$ echo "export OKERA_DB_PASSWORD=\"password123\"" >> ~/okera.sh
$ . ~/okera.sh
Either of these ways ensures that the variables are set and available to the Deployment Manager when started.