security(getting-started): enforce stronger postgres password and restrict database access#3570
Merged
dimas-b merged 2 commits intoapache:mainfrom Feb 3, 2026
Conversation
…rict database access - Add POSTGRES_PASSWORD environment variable to specify the Postgres database password. - Add validation to reject weak default "postgres" password. - Generate random 16-character password if POSTGRES_PASSWORD is not provided. - Replace all hardcoded "postgres" password references with $POSTGRES_PASSWORD variable. - Restrict Azure PostgreSQL access to VM's public IP using `--public-access` flag. This aligns security posture across AWS (VPC-only), Azure (IP-restricted), and GCP (authorized-networks) - Update documentation site to describe the POSTGRES_PASSWORD environment variable.
adutra
previously approved these changes
Jan 27, 2026
site/content/in-dev/unreleased/getting-started/deploying-polaris/cloud-deploy/deploy-aws.md
Outdated
Show resolved
Hide resolved
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
dimas-b
previously approved these changes
Jan 27, 2026
Contributor
dimas-b
left a comment
dimas-b
left a comment
There was a problem hiding this comment.
LGTM with docs changes noted by @adutra 👍 Valuable improvement! Thanks, @pingtimeout !
dimas-b
approved these changes
Jan 27, 2026
singhpk234
approved these changes
Jan 27, 2026
Contributor
singhpk234
left a comment
singhpk234
left a comment
There was a problem hiding this comment.
LGTM, thanks @pingtimeout !
just double confirming did you run the getting started post changes ?
Contributor
Author
|
@singhpk234 no unfortunately, see the PR description.
|
Contributor
|
@adnanhemani : You seem to be the original author of these scripts. Do you have capacity to re-validate them with changes in this PR? Thx! |
flyrain
approved these changes
Jan 30, 2026
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
sungwy
pushed a commit
to sungwy/polaris
that referenced
this pull request
Feb 7, 2026
…trict database access (apache#3570) * security(getting-started): enforce strong postgres passwords and restrict database access - Add POSTGRES_PASSWORD environment variable to specify the Postgres database password. - Add validation to reject weak default "postgres" password. - Generate random 16-character password if POSTGRES_PASSWORD is not provided. - Replace all hardcoded "postgres" password references with $POSTGRES_PASSWORD variable. - Restrict Azure PostgreSQL access to VM's public IP using `--public-access` flag. This aligns security posture across AWS (VPC-only), Azure (IP-restricted), and GCP (authorized-networks) - Update documentation site to describe the POSTGRES_PASSWORD environment variable.
snazy
added a commit
to snazy/polaris
that referenced
this pull request
Feb 11, 2026
* fix(site): Bump the binary distribution version. (apache#3624) Co-authored-by: ChristopherQu <35272962+ChristopherQu@users.noreply.github.com> * chore(deps): update actions/stale digest to dcd2b94 (apache#3643) * security(getting-started): enforce stronger postgres password and restrict database access (apache#3570) * security(getting-started): enforce strong postgres passwords and restrict database access - Add POSTGRES_PASSWORD environment variable to specify the Postgres database password. - Add validation to reject weak default "postgres" password. - Generate random 16-character password if POSTGRES_PASSWORD is not provided. - Replace all hardcoded "postgres" password references with $POSTGRES_PASSWORD variable. - Restrict Azure PostgreSQL access to VM's public IP using `--public-access` flag. This aligns security posture across AWS (VPC-only), Azure (IP-restricted), and GCP (authorized-networks) - Update documentation site to describe the POSTGRES_PASSWORD environment variable. * OpenAPI specs: update README with detailed API specifications (apache#3629) * CI: simplify `ci-incr-build-cache-save` action usage (apache#3626) * CI: simplify upload-artifacts call + only on failure (apache#3627) * CI: simplify java-setup action usage (apache#3628) * STS roleArn: enable 3rd party STS services (apache#3619) Certain non-AWS STS service implementations use role ARNs that look quite different from AWS ones. This change shall enable those STS implementations. Example role ARNs that currently fail: * `urn:ecs:sts::s3:assumed-role/s3assumeRole/user1-105-temp` * `urn:sgws:identity::12345:group/foo-bar-abcdef` Related issue apache#2743 * Last merged commit 29ccdd1 --------- Co-authored-by: HJ Q. <35272962+chrisqu777@users.noreply.github.com> Co-authored-by: ChristopherQu <35272962+ChristopherQu@users.noreply.github.com> Co-authored-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr> Co-authored-by: Alexandre Dutra <adutra@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is not really a security issue in the codebase. More of an improvement on the getting started.
The getting started guide for Azure exposes a database to the entire internet, which is a problem considering that the default username and password for Postgres are used. This PR includes the following changes:
--public-accessflag. This aligns security posture across AWS (VPC-only), Azure (IP-restricted), and GCP (authorized-networks)Full disclaimer: I cannot test the
--public-access $INSTANCE_IPaddition to theazcommand. This is because of a company policy that prevents me from instantiating any Azure instance with a public IP address. Any help to test thedeploy-azure.shscript is welcome.Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)