Skip to content

Commit

Permalink
use --insecure and secure later #10238
Browse files Browse the repository at this point in the history
Using --insecure at first and then doing securing APIs, etc later
(like non --insecure does) seems like the best option for now.

It allows us to simplify the tutorial and set up an unblock key
for later use.
  • Loading branch information
pdurbin committed Feb 1, 2024
1 parent 9b0a3cf commit 89739bc
Show file tree
Hide file tree
Showing 2 changed files with 94 additions and 32 deletions.
96 changes: 66 additions & 30 deletions doc/sphinx-guides/source/container/running/demo.rst
Original file line number Diff line number Diff line change
Expand Up @@ -36,27 +36,18 @@ Again, data related to your Dataverse installation such as the database is store

You may reach a point during your demo or evaluation that you'd like to start over with a fresh database. Simply make sure the containers are not running and then remove the ``data`` directory. Now, as before, you can run ``docker compose up`` to spin up the containers.

Configuring Dataverse
Setting Up for a Demo
---------------------

Now that you are familiar with the basics of running Dataverse in containers, let's move on to configuration.
Now that you are familiar with the basics of running Dataverse in containers, let's move on to a better setup for a demo or evaluation.

Start Fresh
+++++++++++

For this configuration exercise, please start fresh by stopping all containers and removing the ``data`` directory.

Change the Site URL
+++++++++++++++++++

Edit ``compose.yml`` and change ``_CT_DATAVERSE_SITEURL`` to the URL you plan to use for your installation.

(You can read more about this setting at :ref:`dataverse.siteUrl`.)
Starting Fresh
++++++++++++++

This is an example of setting an environment variable to configure Dataverse.
For this exercise, please start fresh by stopping all containers and removing the ``data`` directory.

Create and Run a Demo Persona
+++++++++++++++++++++++++++++
Creating and Running a Demo Persona
+++++++++++++++++++++++++++++++++++

Previously we used the "dev" persona to bootstrap Dataverse, but for security reasons, we should create a persona more suited to demos and evaluations.

Expand All @@ -83,36 +74,81 @@ Uncomment the "volumes" section.

Create a directory called "demo" and copy :download:`init.sh <../../../../../modules/container-configbaker/scripts/bootstrap/demo/init.sh>` into it. You are welcome to edit this demo init script, customizing the final message, for example.

Note that the init script contains a key for using the admin API once it is blocked. You should change it in the script from "unblockme" to something only you know.

Now run ``docker compose up``. The "bootstrap" container should exit with the message from the init script and Dataverse should be running on http://localhost:8080 as before during the quickstart exercise.

One of the main differences between the "dev" persona and our new "demo" persona is that we are now running the setup-all script without the ``--insecure`` flag. This makes our installation more secure, though it does block "admin" APIs that are useful for configuration.

Set DOI Provider to FAKE
++++++++++++++++++++++++
Smoke Testing
-------------

At this point, please try the following basic operations within your installation:

- logging in as dataverseAdmin (password "admin1")
- publishing the "root" collection (dataverse)
- creating a collection
- creating a dataset
- uploading a data file
- publishing the dataset

If anything isn't working, please see the sections below on troubleshooting, giving feedback, and getting help.

Further Configuration
---------------------

Now that we've verified through a smoke test that basic operations are working, let's configure our installation of Dataverse.

Please refer to the :doc:`/installation/config` section of the Installation Guide for various configuration options.

For the purposes of a demo, we'll use the "FAKE" DOI provider. (For more on this and related settings, see :ref:`pids-configuration` in the Installation Guide.) Without this step, you won't be able to create or publish datasets.
Below we'll explain some specifics for configuration in containers.

Run the following command. (In this context, "dataverse" is the name of the running container.)
JVM Options/MicroProfile Config
+++++++++++++++++++++++++++++++

``docker exec -it dataverse curl http://localhost:8080/api/admin/settings/:DoiProvider -X PUT -d FAKE``
:ref:`jvm-options` can be configured under ``JVM_ARGS`` in the ``compose.yml`` file. Here's an example:

.. code-block:: bash
This is an example of configuring a database setting, which you can read more about at :ref:`database-settings` in the Installation Guide.
environment:
JVM_ARGS: -Ddataverse.files.storage-driver-id=file1
Smoke Test
Some JVM options can be configured as environment variables. For example, you can configure the database host like this:

.. code-block:: bash
environment:
DATAVERSE_DB_HOST: postgres
We are in the process of making more JVM options configurable as environment variables. Look for the term "MicroProfile Config" in under :doc:`/installation/config` in the Installation Guide to know if you can use them this way.

Please note that for a few environment variables (the ones that start with ``%ct`` in :download:`microprofile-config.properties <../../../../../src/main/resources/META-INF/microprofile-config.properties>`), you have to prepend ``_CT_`` to make, for example, ``_CT_DATAVERSE_SITEURL``. We are working on a fix for this in https://github.com/IQSS/dataverse/issues/10285.

There is a final way to configure JVM options that we plan to deprecate once all JVM options have been converted to MicroProfile Config. Look for "magic trick" under "tunables" at :doc:`../app-image` for more information.

Database Settings
+++++++++++++++++

Generally, you should be able to look at the list of :ref:`database-settings` and configure them but the "demo" persona above secured your installation to the point that you'll need an "unblock key" to access the "admin" API and change database settings.

In the example below of configuring :ref:`:FooterCopyright` we use the default unblock key of "unblockme" but you should use the key you set above.

``curl -X PUT -d ", My Org" "http://localhost:8080/api/admin/settings/:FooterCopyright?unblock-key=unblockme"``

One you make this change it should be visible in the copyright in the bottom left of every page.

Next Steps
----------

At this point, please try some basic operations within your installation, such as:
From here, you are encouraged to continue poking around, configuring, and testing. You probably spend a lot of time reading the :doc:`/installation/config` section of the Installation Guide.

- logging in as dataverseAdmin
- publishing the "root" collection (dataverse)
- creating a collection
- creating a dataset
- uploading a data file
- publishing the dataset
Please consider giving feedback using the methods described below. Good luck with your demo!

About the Containers
--------------------

Now that you've gone through the tutorial, you might be interested in the various containers you've spun up and what they do.

Container List
++++++++++++++

Expand Down
30 changes: 28 additions & 2 deletions modules/container-configbaker/scripts/bootstrap/demo/init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,38 @@

set -euo pipefail

# Set some defaults as documented
# Set some defaults
DATAVERSE_URL=${DATAVERSE_URL:-"http://dataverse:8080"}
export DATAVERSE_URL

BLOCKED_API_KEY=${BLOCKED_API_KEY:-"unblockme"}
export BLOCKED_API_KEY

# --insecure is used so we can configure a few things but
# later in this script we'll apply the changes as if we had
# run the script without --insecure.
echo "Running base setup-all.sh..."
"${BOOTSTRAP_DIR}"/base/setup-all.sh -p=admin1 | tee /tmp/setup-all.sh.out
"${BOOTSTRAP_DIR}"/base/setup-all.sh --insecure -p=admin1 | tee /tmp/setup-all.sh.out

echo ""
echo "Setting DOI provider to \"FAKE\"..."
curl -sS -X PUT -d FAKE "${DATAVERSE_URL}/api/admin/settings/:DoiProvider"

echo ""
echo "Revoke the key that allows for creation of builtin users..."
curl -sS -X DELETE "${DATAVERSE_URL}/api/admin/settings/BuiltinUsers.KEY"

echo ""
echo "Set key for accessing blocked API endpoints..."
curl -sS -X PUT -d "$BLOCKED_API_KEY" "${DATAVERSE_URL}/api/admin/settings/:BlockedApiKey"

echo ""
echo "Set policy to only allow access to admin APIs with with a key..."
curl -sS -X PUT -d unblock-key "${DATAVERSE_URL}/api/admin/settings/:BlockedApiPolicy"

echo ""
echo "Block admin and other sensitive API endpoints..."
curl -sS -X PUT -d 'admin,builtin-users' "${DATAVERSE_URL}/api/admin/settings/:BlockedApiEndpoints"

echo ""
echo "Done, your instance has been configured for demo or eval. Have a nice day!"

0 comments on commit 89739bc

Please sign in to comment.