From: srinivasyanamadala Date: Tue, 25 Feb 2025 17:18:10 +0000 (+0100) Subject: Remove Root Permission for execution of opa-pdp X-Git-Tag: 1.0.3~13 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=ca5f0cddbbf72eb52410161f3ad91cda64eb6c58;p=policy%2Fopa-pdp.git Remove Root Permission for execution of opa-pdp Issue-ID: POLICY-5293 Change-Id: I84dbf7f19355aa857a95f0ec8f563c229897ad19 Signed-off-by: srinivasyanamadala --- diff --git a/Dockerfile b/Dockerfile index 5312d06..e00ce84 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,48 +29,34 @@ COPY go.mod go.sum /app/ COPY . . -RUN mkdir /app/cfg -ADD cfg /app/cfg +RUN mkdir -p /app/cfg /app/consts /app/api /app/cmd /app/pkg /app/bundles +COPY cfg /app/cfg +COPY consts /app/consts +COPY api /app/api +COPY cmd /app/cmd +COPY pkg /app/pkg -RUN mkdir /app/consts -ADD consts /app/consts - -RUN mkdir /app/api -ADD api /app/api - -RUN mkdir /app/cmd -ADD cmd /app/cmd - -RUN mkdir /app/pkg -ADD pkg /app/pkg - -RUN mkdir /app/bundles WORKDIR /app # Build the binary RUN GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o /app/opa-pdp /app/cmd/opa-pdp/opa-pdp.go -#COPY config.json /app/config.json -#RUN chmod 644 /app/config.json FROM ubuntu -RUN apt-get update && apt-get install -y netcat-openbsd && rm -rf /var/lib/apt/lists/* - -RUN apt-get update && apt-get install -y curl +RUN apt-get update && apt-get install -y netcat-openbsd curl && rm -rf /var/lib/apt/lists/*\ + && mkdir -p /app /opt/policies /opt/data /var/logs \ + && chown -R ubuntu:ubuntu /app /opt/policies /opt/data /var/logs -# Copy our static executable from compile stage -RUN mkdir /app COPY --from=compile /app /app -RUN chmod +x /app/opa-pdp +# Copy our opa executable from build stage +COPY --from=build /tmp/opa /app/opa -RUN mkdir /opt/policies -RUN mkdir /opt/data +RUN chmod +x /app/opa-pdp && chmod 755 /app/opa -# Copy our opa executable from build stage -COPY --from=build /tmp/opa /app/opa -RUN chmod 755 /app/opa +# Switch to the non-root user and 1000 is for ubuntu +USER 1000:1000 WORKDIR /app EXPOSE 8282 diff --git a/cfg/config.go b/cfg/config.go index ef046de..e828b18 100644 --- a/cfg/config.go +++ b/cfg/config.go @@ -1,6 +1,6 @@ // - // ========================LICENSE_START================================= -// Copyright (C) 2024: Deutsche Telekom +// Copyright (C) 2024-2025: Deutsche Telekom // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -28,6 +28,7 @@ import ( "os" "regexp" "strconv" + "github.com/google/uuid" ) // LogLevel - The log level for the application. @@ -65,7 +66,7 @@ func init() { LogLevel = getEnv("LOG_LEVEL", "info") BootstrapServer = getEnv("KAFKA_URL", "kafka:9092") Topic = getEnv("PAP_TOPIC", "policy-pdp-pap") - GroupId = getEnv("GROUPID", "opa-pdp") + GroupId = getEnv("GROUPID", "opa-pdp-" + uuid.New().String()) Username = getEnv("API_USER", "policyadmin") Password = getEnv("API_PASSWORD", "zb!XztG34") UseSASLForKAFKA = getEnv("UseSASLForKAFKA", "false")