Copilot commented on code in PR #2952:
URL: https://github.com/apache/hugegraph/pull/2952#discussion_r2904637215
##########
docker/docker-compose-3pd-3store-3server.yml:
##########
@@ -1,4 +1,4 @@
-#
+#
Review Comment:
The first line contains a UTF-8 BOM character before `#` (rendered as `#`).
Some YAML parsers / tooling treat this as an invalid character and may fail to
parse the compose file. Remove the BOM so the file starts with a plain `#`.
##########
hugegraph-server/hugegraph-dist/docker/docker-entrypoint.sh:
##########
@@ -15,32 +15,78 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+set -euo pipefail
-# create a folder to save the docker-related file
-DOCKER_FOLDER='./docker'
-mkdir -p $DOCKER_FOLDER
-
+DOCKER_FOLDER="./docker"
INIT_FLAG_FILE="init_complete"
+GRAPH_CONF="./conf/graphs/hugegraph.properties"
+
+mkdir -p "${DOCKER_FOLDER}"
+
+log() { echo "[hugegraph-server-entrypoint] $*"; }
+
+set_prop() {
+ local key="$1" val="$2" file="$3"
+ local esc_key esc_val
+
+ esc_key=$(printf '%s' "$key" | sed -e 's/[][(){}.^$*+?|\\/]/\\&/g')
+ esc_val=$(printf '%s' "$val" | sed -e 's/[&|\\]/\\&/g')
-if [ ! -f "${DOCKER_FOLDER}/${INIT_FLAG_FILE}" ]; then
- # wait for storage backend
- ./bin/wait-storage.sh
- if [ -z "$PASSWORD" ]; then
- echo "init hugegraph with non-auth mode"
+ if grep -qE "^[[:space:]]*${esc_key}[[:space:]]*=" "${file}"; then
+ sed -ri "s|^([[:space:]]*${esc_key}[[:space:]]*=).*|\\1${esc_val}|"
"${file}"
+ else
+ printf '%s=%s\n' "$key" "$val" >> "${file}"
+ fi
+}
+
+migrate_env() {
+ local old_name="$1" new_name="$2"
+
+ if [[ -n "${!old_name:-}" && -z "${!new_name:-}" ]]; then
+ log "WARN: deprecated env '${old_name}' detected; mapping to
'${new_name}'"
+ export "${new_name}=${!old_name}"
+ fi
+}
+
+migrate_env "BACKEND" "HG_SERVER_BACKEND"
+migrate_env "PD_PEERS" "HG_SERVER_PD_PEERS"
+
+# ── Map env → properties file ─────────────────────────────────────────
+[[ -n "${HG_SERVER_BACKEND:-}" ]] && set_prop "backend"
"${HG_SERVER_BACKEND}" "${GRAPH_CONF}"
+[[ -n "${HG_SERVER_PD_PEERS:-}" ]] && set_prop "pd.peers"
"${HG_SERVER_PD_PEERS}" "${GRAPH_CONF}"
+
+# ── Build wait-storage env ─────────────────────────────────────────────
+WAIT_ENV=()
+[[ -n "${HG_SERVER_BACKEND:-}" ]] &&
WAIT_ENV+=("hugegraph.backend=${HG_SERVER_BACKEND}")
+[[ -n "${HG_SERVER_PD_PEERS:-}" ]] &&
WAIT_ENV+=("hugegraph.pd.peers=${HG_SERVER_PD_PEERS}")
+
+# ── Init store (once) ─────────────────────────────────────────────────
+if [[ ! -f "${DOCKER_FOLDER}/${INIT_FLAG_FILE}" ]]; then
+ if (( ${#WAIT_ENV[@]} > 0 )); then
+ env "${WAIT_ENV[@]}" ./bin/wait-storage.sh
+ else
+ ./bin/wait-storage.sh
+ fi
+
+ if [[ -z "${PASSWORD:-}" ]]; then
+ log "init hugegraph with non-auth mode"
./bin/init-store.sh
else
- echo "init hugegraph with auth mode"
+ log "init hugegraph with auth mode"
./bin/enable-auth.sh
- echo "$PASSWORD" | ./bin/init-store.sh
+ echo "${PASSWORD}" | ./bin/init-store.sh
fi
Review Comment:
If the `PASSWORD` environment variable is unset, the server is initialized
in non‑auth mode, and Docker compose examples do not set `PASSWORD`, meaning
the REST API on `8080` runs with no authentication by default. Anyone who can
reach the exposed port can fully administer graphs without credentials, which
is a serious risk in misconfigured or internet‑reachable deployments. Require
an explicit admin password (fail fast if `PASSWORD` is missing) or clearly gate
the unauthenticated mode behind a separate, opt‑in flag intended only for local
development.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
