Skip to content

feat(clp-package)!: Add support for multiple database user credentials; Use separate root database credentials. #1655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Nov 28, 2025
Merged

feat(clp-package)!: Add support for multiple database user credentials; Use separate root database credentials. #1655

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
cce6146
Separate root user from clp db user
Eden-D-Zhang Nov 24, 2025
fc7056f
Use `| None` syntax instead of `Optional`
Eden-D-Zhang Nov 25, 2025
0f88d3e
Add root password to exclude
Eden-D-Zhang Nov 25, 2025
5cf882d
Refactor db config
Eden-D-Zhang Nov 27, 2025
9c4aad6
Merge branch 'main' of https://github.com/y-scope/clp into root-db-user
Eden-D-Zhang Nov 27, 2025
8deda32
Merge branch 'main' into root-db-user
Eden-D-Zhang Nov 27, 2025
8715e9d
Lint
Eden-D-Zhang Nov 27, 2025
d9a0983
Apply suggestions from code review
Eden-D-Zhang Nov 28, 2025
a5de1a3
Address code review
Eden-D-Zhang Nov 28, 2025
0f70670
Lint
Eden-D-Zhang Nov 28, 2025
04f1538
Apply suggestions from code review
Eden-D-Zhang Nov 28, 2025
666d570
Merge branch 'main' into root-db-user
Eden-D-Zhang Nov 28, 2025
37f760e
Address review
Eden-D-Zhang Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions components/clp-package-utils/clp_package_utils/controller.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,11 @@ def _set_up_env_for_database(self) -> EnvVarsDict:
"CLP_DB_USER": self._clp_config.database.username,
}

if self._clp_config.database.has_root_password():
env_vars |= {
"CLP_DB_ROOT_PASS": self._clp_config.database.root_password,
}

# Paths
env_vars |= {
"CLP_DB_CONF_LOGGING_FILE_HOST": str(conf_logging_file),
Expand Down
6 changes: 5 additions & 1 deletion components/clp-package-utils/clp_package_utils/general.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -451,7 +451,11 @@ def load_config_file(

def generate_credentials_file(credentials_file_path: pathlib.Path):
credentials = {
DB_COMPONENT_NAME: {"username": "clp-user", "password": secrets.token_urlsafe(8)},
DB_COMPONENT_NAME: {
"username": "clp-user",
"password": secrets.token_urlsafe(8),
"root_password": secrets.token_urlsafe(8),
},
QUEUE_COMPONENT_NAME: {"username": "clp-user", "password": secrets.token_urlsafe(8)},
REDIS_COMPONENT_NAME: {"password": secrets.token_urlsafe(16)},
}
Comment on lines 452 to 462
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Generating a distinct root_password looks good

Emitting a separate root_password with secrets.token_urlsafe(8) aligns with the new root-credential model and keeps it independent from the user password. If you ever revisit password policy, you might choose a larger token size for the root password, but this is acceptable and consistent with the existing DB password generation.

🤖 Prompt for AI Agents 
In components/clp-package-utils/clp_package_utils/general.py around lines 452 to
461, the code already emits a distinct "root_password" using
secrets.token_urlsafe(8); leave this separate root credential generation as-is
to match the new root-credential model, no code changes required now, but if you
revisit password policy later consider increasing the token length for
root_password (e.g., token_urlsafe(12-16)).

Expand Down
21 changes: 21 additions & 0 deletions components/clp-py-utils/clp_py_utils/clp_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@
# Environment variable names
CLP_DB_USER_ENV_VAR_NAME = "CLP_DB_USER"
CLP_DB_PASS_ENV_VAR_NAME = "CLP_DB_PASS"
CLP_DB_ROOT_PASS_ENV_VAR_NAME = "CLP_DB_ROOT_PASS"
CLP_QUEUE_USER_ENV_VAR_NAME = "CLP_QUEUE_USER"
CLP_QUEUE_PASS_ENV_VAR_NAME = "CLP_QUEUE_PASS"
CLP_REDIS_PASS_ENV_VAR_NAME = "CLP_REDIS_PASS"
Expand Down Expand Up @@ -175,6 +176,8 @@ class Database(BaseModel):
username: NonEmptyStr | None = None
password: NonEmptyStr | None = None

root_password: NonEmptyStr | None = None

def ensure_credentials_loaded(self):
if self.username is None or self.password is None:
raise ValueError("Credentials not loaded.")
Expand Down Expand Up @@ -227,6 +230,14 @@ def dump_to_primitive_dict(self):
d = self.model_dump(exclude={"username", "password"})
return d

def has_root_password(self) -> bool:
"""
Checks if root password is configured.

:return: True if root password is set.
"""
return self.root_password is not None

def load_credentials_from_file(self, credentials_file_path: pathlib.Path):
config = read_yaml_config_file(credentials_file_path)
if config is None:
Expand All @@ -239,13 +250,23 @@ def load_credentials_from_file(self, credentials_file_path: pathlib.Path):
f"Credentials file '{credentials_file_path}' does not contain key '{ex}'."
)

try:
self.root_password = get_config_value(config, f"{DB_COMPONENT_NAME}.root_password")
except KeyError:
pass

def load_credentials_from_env(self):
"""
:raise ValueError: if any expected environment variable is not set.
"""
self.username = _get_env_var(CLP_DB_USER_ENV_VAR_NAME)
self.password = _get_env_var(CLP_DB_PASS_ENV_VAR_NAME)

try:
self.root_password = _get_env_var(CLP_DB_ROOT_PASS_ENV_VAR_NAME)
except ValueError:
pass

def transform_for_container(self):
self.host = DB_COMPONENT_NAME
self.port = self.DEFAULT_PORT
Expand Down
1 change: 1 addition & 0 deletions components/package-template/src/etc/credentials.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
#database:
# username: "clp-user"
# password: "pass"
# root_password: "root-pass"
#
## Queue credentials
#queue:
Expand Down
3 changes: 2 additions & 1 deletion tools/deployment/package/docker-compose-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ services:
environment:
MYSQL_DATABASE: "${CLP_DB_NAME:-clp-db}"
MYSQL_PASSWORD: "${CLP_DB_PASS:?Please set a value.}"
MYSQL_ROOT_PASSWORD: "${CLP_DB_PASS:?Please set a value.}"
MYSQL_ROOT_PASSWORD: "${CLP_DB_ROOT_PASS:?Please set a value.}"
MYSQL_USER: "${CLP_DB_USER:?Please set a value.}"
ports:
- host_ip: "${CLP_DB_HOST:-127.0.0.1}"
Expand Down Expand Up @@ -82,6 +82,7 @@ services:
hostname: "db_table_creator"
environment:
CLP_DB_PASS: "${CLP_DB_PASS:?Please set a value.}"
CLP_DB_ROOT_PASS: "${CLP_DB_ROOT_PASS:?Please set a value.}"
CLP_DB_USER: "${CLP_DB_USER:?Please set a value.}"
PYTHONPATH: "/opt/clp/lib/python3/site-packages"
volumes:
Expand Down
Loading