[#1675] kea-admin: KEA_ADMIN_DB_PASSWORD env var

diff --git a/ChangeLog b/ChangeLog
index 86f99d26a928904691e4fae4e36484a3561fa494..b131d9953286c1edf87f54d987f423b00876ec88 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,15 +1,11 @@
 1885.  [func]          andrei
        kea-admin is now able to interactively ask for a password if no
        parameter follows the -p or the --password parameters. This
-       requires the user to give it as the last parameter. If another
-       option starting with dash follows, that would be taken as the
-       actual password, would not be processed as it should have been
-       and all your parameters will be offset by one. Checking if the
-       word that follows starts with dash is also not possible because
-       that would not allow for passwords starting with dash. Feedback
-       of the password to the terminal is cut off to prevent
-       over-the-shoulder snooping and other social engineering
-       techniques.
+       requires the user to give it as the last parameter. The entered
+       password is not echoed back to the terminal in order to prevent
+       over-the-shoulder snooping or other social engineering
+       techniques. Alternatively, you can set the password via the
+       KEA_ADMIN_DB_PASSWORD environment variable.
        (Gitlab #1675)
 
 1884.  [doc]           fdupont

diff --git a/doc/sphinx/man/kea-admin.8.rst b/doc/sphinx/man/kea-admin.8.rst
index 2e615c1b6abae050b7acfcda219f591f9a07765e..153702c92b9e26e0809863bec6542caace365947 100644 (file)
--- a/doc/sphinx/man/kea-admin.8.rst
+++ b/doc/sphinx/man/kea-admin.8.rst
@@ -72,7 +72,9 @@ Arguments
 ``-p|--password password``
    Specifies the password when connecting to a database.
    If only ``-p`` or ``--password`` is given, the user is prompted for a password.
-   If not specified at all, the default value of **keatest** is used.
+   If not specified at all, the **KEA_ADMIN_DB_PASSWORD** environment variable
+   is checked for a value and used if it exists.
+   Otherwise the default value of **keatest** is used.
 
 ``-n|--name database-name``
    Specifies the name of the database to connect to. If not specified, the

diff --git a/src/bin/admin/kea-admin.in b/src/bin/admin/kea-admin.in
index d7bb5639dc51aaaa4d6e797fdac2b3c4491c066c..2d1939130f186e4aee5196c420a971bdf3450395 100644 (file)
--- a/src/bin/admin/kea-admin.in
+++ b/src/bin/admin/kea-admin.in
@@ -749,6 +749,7 @@ do
             ;;
         # Specify database password
         -p|--password)
+            password_parameter_passed=true
             # If there is at least one more parameter following...
             if test "${#}" -gt 1; then
                 # Then take it as password.
@@ -819,6 +820,14 @@ do
     shift
 done
 
+# After all the parameters have been parsed, check environment variables.
+if test -z "${password_parameter_passed+x}"; then
+    if test -n "${KEA_ADMIN_DB_PASSWORD+x}"; then
+        printf 'Using the value of KEA_ADMIN_DB_PASSWORD for authentication...\n'
+        db_password="${KEA_ADMIN_DB_PASSWORD}"
+    fi
+fi
+
 case ${command} in
     # Initialize the database
     db-init)