commit d27be298fbbc186fc2c96d5ad74a74c557603051
parent ce6f02324134436a5ddb5875ca1259a66168e135
Author: Florian Dold <florian@dold.me>
Date: Sun, 24 Jan 2021 16:04:41 +0100
mention caveats
Diffstat:
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/libeufin/nexus-tutorial.rst b/libeufin/nexus-tutorial.rst
@@ -190,10 +190,21 @@ Use the following command to run the nexus service:
$ libeufin-nexus serve --port 5001
By default, the SQLite3 database ``/tmp/libeufin-nexus.sqlite3`` will be used.
+The database can be specified as a JDBC connection URI with the
+``--db-conn-string=$DBCONN`` option. Only *SQLite* and *PostgreSQL (only via
+TCP)* are supported right now.
+
+.. warning::
+
+ For production-grade deployments of LibEuFin, we do not recommend specifying the
+ secret database credentials via command line arguments, as can will expose
+ those credentials to other users.
+
+ Instead, the DB connection string should be specified in an environment variable
+ (which can be set in the systemd unit via an ``EnvironmentFile`` option)
+ once LibEuFin supports this (see the corresponding
+ `bug tracker entry <https://bugs.gnunet.org/view.php?id=6720>`__).
-We recommend using the ``--db-conn-string=$DBCONN`` option. It instructs Nexus
-to reach the database addressed by the JDBC connection URI. Only *SQLite* and
-*PostgreSQL (only via TCP)* are supported right now.
For example:
@@ -212,7 +223,8 @@ to create less privileged users is offered.
.. note::
- Privilege separation is not fully implemented yet.
+ User and permissions management in LibEuFin is still under development.
+ In particular, permissions for non-superusers are very limited at the moment.
The command line interface needs the following three values
to be defined in the environment: ``LIBEUFIN_NEXUS_URL``, ``LIBEUFIN_NEXUS_USERNAME``,
