From 577e25a7f25f9e9cbeed161a80f6c5535ebeefd9 Mon Sep 17 00:00:00 2001
From: Christine Banek <cbanek@lsst.org>
Date: Thu, 9 Jan 2020 12:46:03 -0700
Subject: [PATCH 1/2] [DM-22959] Remove group for logControl

With this group here, and no authorizer, this means no one can
alter the log settings.  This needs to be moved over to a better
way of controlling this via secrets, but this is the first step.
---
 src/main/webapp/WEB-INF/web.xml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index 7c727d9..3cb9363 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -24,14 +24,6 @@
                 ca.nrc.cadc.uws
             </param-value>
         </init-param>
-        <init-param>
-            <param-name>logAccessGroup</param-name>
-            <param-value>CADC</param-value>
-        </init-param>
-        <!--<init-param>-->
-        <!--<param-name>groupAuthorizer</param-name>-->
-        <!--<param-value>ca.nrc.cadc.auth.CADCGroupAuthorizer</param-value>-->
-        <!--</init-param>-->
         <load-on-startup>1</load-on-startup>
     </servlet>
 

From ee696cbcaa22291a020618082d0cc3fea38bc225 Mon Sep 17 00:00:00 2001
From: Christine Banek <cbanek@lsst.org>
Date: Thu, 9 Jan 2020 13:12:27 -0700
Subject: [PATCH 2/2] [DM-22959] Configure properties file for authorized users
 and groups

If it doesn't exist, it should just print out a warning but be fine.
This should come from a secret, and /etc/creds is a path that is
generated from the vault-secret.
---
 docker/docker-compose.yml       | 2 +-
 src/main/webapp/WEB-INF/web.xml | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 8f67f51..b15ff11 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -22,7 +22,7 @@ services:
     networks:
       - tap-network
     environment:
-      CATALINA_OPTS: "-Dqservuser.jdbc.username=qsmaster -Dqservuser.jdbc.password= -Dqservuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver -Dqservuser.jdbc.url=jdbc:mysql://mock-qserv:3306/ -Dtapuser.jdbc.username=TAP_SCHEMA -Dtapuser.jdbc.password=TAP_SCHEMA -Dtapuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver -Dtapuser.jdbc.url=jdbc:mysql://tap-schema-db:3306/ -Dca.nrc.cadc.reg.client.RegistryClient.local=true -Duws.jdbc.username=postgres -Duws.jdbc.driverClassName=org.postgresql.Driver -Duws.jdbc.url=jdbc:postgresql://uws-db/ -Dca.nrc.cadc.auth.Authenticator=org.opencadc.tap.impl.AuthenticatorImpl"
+      CATALINA_OPTS: "-Dqservuser.jdbc.username=qsmaster -Dqservuser.jdbc.password= -Dqservuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver -Dqservuser.jdbc.url=jdbc:mysql://mock-qserv:3306/ -Dtapuser.jdbc.username=TAP_SCHEMA -Dtapuser.jdbc.password=TAP_SCHEMA -Dtapuser.jdbc.driverClassName=com.mysql.cj.jdbc.Driver -Dtapuser.jdbc.url=jdbc:mysql://tap-schema-db:3306/ -Dca.nrc.cadc.reg.client.RegistryClient.local=true -Duws.jdbc.username=postgres -Duws.jdbc.driverClassName=org.postgresql.Driver -Duws.jdbc.url=jdbc:postgresql://uws-db/ -Dca.nrc.cadc.auth.Authenticator=org.opencadc.tap.impl.AuthenticatorImpl -Dca.nrc.cadc.util.PropertiesReader.dir=/etc/creds/"
       GOOGLE_APPLICATION_CREDENTIALS: "/etc/google_creds.json"
     volumes:
       - './google_creds.json:/etc/google_creds.json'
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index 3cb9363..1e5847c 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -24,6 +24,10 @@
                 ca.nrc.cadc.uws
             </param-value>
         </init-param>
+        <init-param>
+            <param-name>logControlProperties</param-name>
+            <param-value>logcontrol.properties</param-value>
+        </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>