Select to view content in your preferred language

Registered Database Connection Update Password Function

1125
5
07-19-2022 02:33 PM
Status: Open
BillMitchell
Regular Contributor

I have a lot of registered database connections---let's call it 100---and my enterprise has a password rotation policy.  We have recently begun a cloud migration, and I want to use some of the new automation tooling to keep database passwords rotated.

There is some documentation on how to do this in ArcGIS Enterprise, but it requires the arcpy library (for arcpy.management.CreateDatabaseConnection, not documented there between steps 3 and 4) and is not very direct.

Using the `arcgis` library, I can see the various registered database items in our Enterprise system.  There is an update method for the connections, so that their properties can be changed.  The properties, which are fed into the update method, look like this:

{
  "path": "/enterpriseDatabases/testDsfunc",  //a unique path on the server
  "type": "egdb", //as this is a database
"id": "09f91102-4bf0-4161-8c8d-0a8ecc159be7",
"totalRefCount":0, "info": { "dataStoreConnectionType": "shared", "isManaged": "false", "connectionString": "ENCRYPTED_PASSWORD=<big long hexadecimal>;SERVER=User;INSTANCE=sde:sqlserver:User;DBCLIENT=sqlserver;DB_CONNECTION_PROPERTIES=User;DATABASE=dsfunc;USER=sde;VERSION=sde.DEFAULT;AUTHENTICATION_MODE=DBMS" } }

 Having just updated my database password at the database, I now want to update the ENCRYPTED_PASSWORD part of the connectionString (or really, the whole connectionString, but only changing the ENCRYPTED_PASSWORD part).

I would love to see a method update_password(new_password) on the arcgis.gis.server.admin._data.Datastore object that would take the plaintext password and update the connectionString to use the corresponding ENCRYPTED_PASSWORD.

The generalized steps shown in the documentation referenced above would become as follows:

from arcgis.gis import GIS

gis = GIS("https://my.portal.machine.com:7443/arcgis/home", "admin_user", "admin_password")
gis_servers = gis.servers.list()

my_server = gis_servers[0]  # Or code to choose the correct server
datastores = my_server.datastores.list()

ds = datastores[7]  # Or code to choose the correct datastore connection item
ds.update_password('my_new_passw0rd')

Having that functionality I can then make use of the following scheme for rotating passwords:

A password stored in cloud key store nears expiration, triggering a Python function that generates a new password and updates it in the database and the key store (including new expiration date).

The updated key in the key store triggers a second Python function (arcgis library only, no arcpy) which can log in to the ArcGIS Enterprise, locate the correct datastore connection (based on metadata or a database that matches connections to the database keys), and run the update_password function with the new password.

5 Comments
BillMitchell

Looking through some logs, I found hits against a /arcgis/admin/publickey endpoint.  This may well be part of what is needed to encrypt the password, as it would provide asymmetric encryption specific to the server being contacted and security in-line with common practices around encrypting passwords.  The documentation on this endpoint (https://developers.arcgis.com/rest/enterprise-administration/server/publickey.htm) suggests RSA encryption.  That said, there is also mention that tokens are encrypted via AES (symmetric encryption), and that the key can be set/retrieved somewhere: https://enterprise.arcgis.com/en/server/latest/administer/linux/about-arcgis-tokens.htm and it is possible that the publickey is needed to securely exchange a symmetric key that is then used to encrypt the password.

 

BillMitchell

I continue to have a need for good password rotation tools.  This really shouldn't be too hard to implement as part of the arcgis python library.

Despite the lofty aims mentioned in the security page of the trust center, it is quite difficult and cumbersome to rotate passwords that ArcGIS Server uses to access its data.  The administrative task of changing a password used to connect to a database shouldn't require a licensed Esri server/desktop installation running the arcpy library.

AndreLoerch

@BillMitchell  Were you able to find a solution to this? We are interested in the exact same sort of solution for the exact same reasons. 

BillMitchell

We are still waiting for this feature.  Hopefully it would be coming out with 11.3 this summer, but I haven't heard that is the case.  It feels like it should be an easy lift, though, with access to the code behind how the SDE file is generated.  Or even to have it handled server-side.  Lots of ways to do it, many of which make sense and shouldn't be too hard.

BillMitchell

Actually, I was only mostly correct in that response.  We submitted an enhancement request, ENH-000164106.  It is still listed as "open"; you might contact support to let them know you are also interested in that enhancement.