|
|
|
@ -165,3 +165,37 @@ these values: |
|
|
|
They do not use any CPU or memory resources |
|
|
|
|
|
|
|
|
|
|
|
** login and password policy |
|
|
|
|
|
|
|
A charm have to manage different set of password. The best would be |
|
|
|
that the charm: |
|
|
|
|
|
|
|
- don't require user to choose password (less configuration) |
|
|
|
- will promote reasonable security practice. |
|
|
|
|
|
|
|
There are 2 types of password: |
|
|
|
- inter-service passwords (ie: database access password), these are |
|
|
|
never used by human operator, and will be required to be known by |
|
|
|
the charms to set things up. These should be generated randomly |
|
|
|
(although they could be set also via configuration if mentionned). |
|
|
|
- they can only be changed by specific backend technical manipulation. |
|
|
|
|
|
|
|
- user service's admin password (ie: admin user of odoo, nextcloud) |
|
|
|
- they can be changed through the service interface. |
|
|
|
- this service interface is available to the public and the general users. |
|
|
|
- charm doesn't need the password to set things up around the service. |
|
|
|
|
|
|
|
*** Inter-service passwords |
|
|
|
|
|
|
|
- Login should be defaulted to name of the service when possible |
|
|
|
- Should be defaulted to random values if not provided in configuration. |
|
|
|
- Should not be advertised even in the command line interface. |
|
|
|
- Should be reset-able anytime. |
|
|
|
|
|
|
|
*** Interactive admin user service's password |
|
|
|
|
|
|
|
- Login should be defaulted to 'admin' |
|
|
|
- Should be defaulted to random values, and not be configurable in configuration. |
|
|
|
- Should be advertised at the end of ~compose up~ along with URL of services as long |
|
|
|
as the default value chosen by compose is still working. |
|
|
|
- Should not be advertised once it was changed by user. |
