Uploaded image for project: 'Okapi'
  1. Okapi
  2. OKAPI-1061

Okapi creating tenant level module users



    • New Feature
    • Status: Draft (View Workflow)
    • TBD
    • Resolution: Unresolved
    • None
    • None
    • None
    • Core: Platform



      Some modules (e.g. mod-pubsub, mod-search, mod-remote-storage) creates users on tenant init, which is considered insecure. Also such virtual (module) users could be deleted by mistake by librarians using Folio UI.

      In order to resolve both problems Okapi should automatically create, change and delete such users when a module is enabled, upgraded or disabled for a tenant. This is triggered by the module descriptor that lists what tenant users and module users are needed.

      In a single server installation Okapi executes all necessary steps.

      Note: This is an alternative solution to FOLIO-3372 where these tasks are executed by sysops.


      For each module with tenant level module users Okapi creates a random password that is shared across all tenants when the module is deployed. This is secure because it is used in a single module only. There is no more security if the single module has a separate password for each tenant but has access to all of them.

      When deploying the module Okapi passes the password in the MODULE_USER_PASSWORD environment variable.

      When enabling the module for a tenant Okapi creates the user with that password and with the username and permissions specified in the module descriptor.

      When disabling the module for a tenant Okapi deletes the user.

      When upgrading a module for a tenant Okapi makes any changes if the module descriptor about module users changes, for example altering the permissions.

      The module descriptor max contain multiple module users with different permissions and different user name.

      Multi-server implementation

      If Okapi doesn't deploy the module, for example in multi-server installations with rancher, the sysop needs to know the MODULE_USER_PASSWORD to put it into the secret store or use some other way to pass it to the module.

      Therefore we need these Okapi APIs:

      • Get MODULE_USER_PASSWORD for a module.
      • Set/change MODULE_USER_PASSWORD for a module. Okapi will change the password for all module users of each tenant that has this module enabled. If Okapi has deployed the module (for example single server) it restarts the module after the password change.

      TestRail: Results


          Issue Links



                Unassigned Unassigned
                julianladisch Julian Ladisch
                0 Vote for this issue
                5 Start watching this issue



                  TestRail: Runs

                    TestRail: Cases