apache: Create individual user accounts instead of sharing scrape #142

docs/develop/update/apache.rst

@@ -93,8 +93,7 @@ Add basic authentication
         sites:
           SITE:
             htpasswd:
-              name: NAME
-              password: PASSWORD
+              NAME: PASSWORD
 
    This will add the user to the ``/etc/apache2/.htpasswd-SITE`` file.
 
@@ -127,7 +126,7 @@ Add basic authentication
 
 .. note::
 
-   Only one htpasswd user is permitted per site, but this can be changed.
+   To delete an htpasswd entry, :ref:`follow these instructions<delete-htpasswd-entry>`.
 
 .. _ssl-certificates:
 

docs/develop/update/delete.rst

@@ -143,6 +143,26 @@ Delete an Apache module
 
 #. Remove the temporary state
 
+.. _delete-htpasswd-entry:
+
+Delete an htpasswd entry
+------------------------
+
+#. Add a temporary state, for example:
+
+   .. code-block:: yaml
+
+      scrape:
+        webutil.user_absent
+
+#. Run the temporary state, for example:
+
+   .. code-block:: bash
+
+      ./run.py 'kingfisher-process' state.sls_id scrape core
+
+#. Remove the temporary state
+
 .. _delete-virtual-host:
 
 Delete a virtual host
@@ -157,3 +177,23 @@ Run, for example:
    ./run.py 'cove-ocds' file.remove /etc/apache2/sites-available/cove.conf.include
 
 A temporary ``apache_site.disabled`` state can be used instead of removing the file in the ``sites-enabled`` directory.
+
+.. _delete-postgresql-user:
+
+Delete a PostgreSQL user
+------------------------
+
+#. Add a temporary state, for example:
+
+   .. code-block:: yaml
+
+      delete-USER:
+        postgres_user.absent
+
+#. Run the temporary state, for example:
+
+   .. code-block:: bash
+
+      ./run.py 'kingfisher-process' state.sls_id delete-USER postgres
+
+#. Remove the temporary state

docs/develop/update/postgres.rst

@@ -78,6 +78,10 @@ To configure the database for an application:
 
 #. Add the private Pillar file to the top file entry for the application.
 
+.. note::
+
+   To delete a PostgreSQL user, :ref:`follow these instructions<delete-postgresql-user>`.
+
 .. _pg-add-configuration:
 
 Configure PostgreSQL

docs/use/kingfisher-collect.rst

@@ -23,7 +23,7 @@ Access Scrapyd's web interface
 
 .. admonition:: One-time setup
 
-   Save the username (``scrape``) and the password (ask a colleague) in your password manager. (If you have access, the password is the value of the ``kingfisher_collect.web.password`` key in the ``pillar/private/kingfisher.sls`` file.)
+   Request a username and password from James or Yohanna. (They will add a key-value pair under the ``apache.sites.ocdskingfisherscrape.htpasswd`` key in the ``pillar/private/kingfisher_process.sls`` file.)
 
 Open https://collect.kingfisher.open-contracting.org to view the statuses and logs of crawls.
 

requirements.in

@@ -11,4 +11,5 @@ pytest
 # On macOS, install the version of cryptography in requirements.txt with, for example:
 # https://github.com/saltstack/salt/issues/63191
 #
-# env LDFLAGS=-L$(brew --prefix openssl@3)/lib CFLAGS="-I$(brew --prefix openssl@3)/include -Wno-error=implicit-function-declaration" pip install --no-binary :all: cryptography==3.3.2
+# env LDFLAGS=-L$(brew --prefix openssl@3)/lib CFLAGS="-I$(brew --prefix openssl@3)/include \
+#   -Wno-error=implicit-function-declaration" pip install --no-binary :all: cryptography==3.3.2

salt/lib.sls

@@ -120,14 +120,14 @@ enable site {{ name }}.conf:
     - watch_in:
       - module: apache2-reload
 
-{% if 'htpasswd' in entry %}
-add .htpasswd-{{ name }}:
+{% for username, password in entry.get('htpasswd', {}).items() %}
+add .htpasswd-{{ name }}-{{ username }}:
   webutil.user_exists:
-    - name: {{ entry.htpasswd.name }}
-    - password: {{ entry.htpasswd.password }}
+    - name: {{ username }}
+    - password: {{ password }}
     - htpasswd_file: /etc/apache2/.htpasswd-{{ name }}
     - update: True
     - require:
       - pkg: apache2
-{% endif %}
+{% endfor %}
 {% endmacro %}