[Bug]: Hardcoded DB credentials in settings.py ignore env vars and break Docker setup #75
Description
Contact Details
This bug is related to UI or API?
API
What happened?
After changing the default database password from 123456 to something else, I started seeing errors in oneterm-acl-api and oneterm-api failed to start.
I spent a full day debugging why acl-api in Docker-Compose would always fail with:
OperationalError: (1045, "Access denied for user 'acl'@'172.30.0.5'")
— even after correctly setting DB_USER, DB_PASSWORD, etc. in environment: and/or env_file:.
Turns out settings.py has its SQLAlchemy URIs hardcoded as:
SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://acl:123456@mysql:3306/acl?charset=utf8' SQLALCHEMY_BINDS = { "user": 'mysql+pymysql://acl:123456@mysql:3306/acl?charset=utf8' }
so all incoming DB_* or SQLALCHEMY_DATABASE_URI environment variables are simply ignored.
Environment-based configuration (DB_HOST, DB_PASSWORD, SQLALCHEMY_DATABASE_URI) should override any defaults in settings.py.
Following the “Docker one-click” guide and injecting credentials via env_file: or environment: should work out of the box.
Steps to reproduce
1.Clone the repo.
2.In docker-compose.yaml, config.yaml and create-users.sql, replace the default password 123456 with a new value.
3.Run docker-compose up -d following the documented flow.
4.Observe that oneterm-acl-api fails with an Access Denied (1045) error and oneterm-api never becomes healthy.
Version
newest
What browsers are you seeing the problem on?
No response
Relevant log output
oneterm-acl-api:
sqlalchemy.exc.OperationalError: (pymysql.err.OperationalError) (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
(Background on this error at: https://sqlalche.me/e/14/e3q8)
[2025-08-06 19:38:19,265] ERROR in click_common_setting: init 全公司 err:
2025-08-06 19:38:19,265 ERROR /data/apps/acl/api/commands/click_common_setting.py 122 - init 全公司 err:
[2025-08-06 19:38:19,266] ERROR in click_common_setting: (pymysql.err.OperationalError) (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
(Background on this error at: https://sqlalche.me/e/14/e3q8)
2025-08-06 19:38:19,266 ERROR /data/apps/acl/api/commands/click_common_setting.py 123 - (pymysql.err.OperationalError) (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
(Background on this error at: https://sqlalche.me/e/14/e3q8)
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 3371, in _wrap_pool_connect
return fn()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 327, in connect
return _ConnectionFairy._checkout(self)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 894, in _checkout
fairy = _ConnectionRecord.checkout(pool)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 493, in checkout
rec = pool._do_get()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/impl.py", line 146, in _do_get
self._dec_overflow()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/langhelpers.py", line 70, in __exit__
compat.raise_(
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 211, in raise_
raise exception
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/impl.py", line 143, in _do_get
return self._create_connection()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 273, in _create_connection
return _ConnectionRecord(self)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 388, in __init__
self.__connect()
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 691, in __connect
pool.logger.debug("Error on connect(): %s", e)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/langhelpers.py", line 70, in __exit__
compat.raise_(
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 211, in raise_
raise exception
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/pool/base.py", line 686, in __connect
self.dbapi_connection = connection = pool._invoke_creator(self)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/engine/create.py", line 574, in connect
return dialect.connect(*cargs, **cparams)
File "/usr/local/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 598, in connect
return self.dbapi.connect(*cargs, **cparams)
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 358, in __init__
self.connect()
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 664, in connect
self._request_authentication()
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 976, in _request_authentication
auth_packet = _auth.caching_sha2_password_auth(self, auth_packet)
File "/usr/local/lib/python3.8/site-packages/pymysql/_auth.py", line 267, in caching_sha2_password_auth
pkt = _roundtrip(conn, data)
File "/usr/local/lib/python3.8/site-packages/pymysql/_auth.py", line 120, in _roundtrip
pkt = conn._read_packet()
File "/usr/local/lib/python3.8/site-packages/pymysql/connections.py", line 772, in _read_packet
packet.raise_for_error()
File "/usr/local/lib/python3.8/site-packages/pymysql/protocol.py", line 221, in raise_for_error
err.raise_mysql_exception(self._data)
File "/usr/local/lib/python3.8/site-packages/pymysql/err.py", line 143, in raise_mysql_exception
raise errorclass(errno, errval)
pymysql.err.OperationalError: (1045, "Access denied for user 'acl'@'172.30.0.5' (using password: YES)")
oneterm-api:
2025-08-06 19:39:19.996 fatal get resource type failed {"error": "(pymysql.err.OperationalError) (1045, \"Access denied for user 'acl'@'172.30.0.5' (using password: YES)\")\n(Background on this error at: https://sqlalche.me/e/14/e3q8)"}
Available clients: redis-cli, mysql/mariadb, psql, mongo/mongosh
2025-08-06 19:39:38.105 info Starting scheduler with configuration {"connectable_check_interval": 1800, "config_update_interval": 300, "batch_size": 50, "concurrent_workers": 10}
2025-08-06 19:39:38.323 info Starting V1 to V2 authorization migration
2025-08-06 19:39:38.324 info Migration already completed, skipping
2025-08-06 19:39:38.324 info Starting node authorization V1 to V2 migration
2025-08-06 19:39:38.325 info Found nodes for migration {"count": 0}
2025-08-06 19:39:38.325 info Node authorization migration completed {"migratedCount": 0, "totalNodes": 0}
2025-08-06 19:39:38.325 info Starting initialization of predefined dangerous commands
2025-08-06 19:39:38.326 debug Predefined command already exists, skipping {"name": "Delete root directory"}
2025-08-06 19:39:38.327 debug Predefined command already exists, skipping {"name": "Delete system directories"}
2025-08-06 19:39:38.328 debug Predefined command already exists, skipping {"name": "Disk destruction operations"}
2025-08-06 19:39:38.329 debug Predefined command already exists, skipping {"name": "Format disk"}
2025-08-06 19:39:38.329 debug Predefined command already exists, skipping {"name": "Fork bomb"}
2025-08-06 19:39:38.330 debug Predefined command already exists, skipping {"name": "System reboot shutdown"}
2025-08-06 19:39:38.331 debug Predefined command already exists, skipping {"name": "Modify critical system files"}
2025-08-06 19:39:38.332 debug Predefined command already exists, skipping {"name": "Drop database"}
2025-08-06 19:39:38.333 debug Predefined command already exists, skipping {"name": "Truncate table data"}
2025-08-06 19:39:38.334 debug Predefined command already exists, skipping {"name": "Modify user permissions"}
2025-08-06 19:39:38.335 debug Predefined command already exists, skipping {"name": "Drop table"}
2025-08-06 19:39:38.336 debug Predefined command already exists, skipping {"name": "Service control commands"}
2025-08-06 19:39:38.337 debug Predefined command already exists, skipping {"name": "Network configuration modification"}
2025-08-06 19:39:38.338 debug Predefined command already exists, skipping {"name": "User management"}
2025-08-06 19:39:38.338 debug Predefined command already exists, skipping {"name": "Kernel module operations"}
2025-08-06 19:39:38.339 debug Predefined template already exists, skipping {"name": "Basic Security Protection"}
2025-08-06 19:39:38.340 debug Predefined template already exists, skipping {"name": "Production Database Protection"}
2025-08-06 19:39:38.341 debug Predefined template already exists, skipping {"name": "System Service Control Restrictions"}
2025-08-06 19:39:38.341 debug Predefined template already exists, skipping {"name": "Network Security Control"}
2025-08-06 19:39:38.342 debug Predefined template already exists, skipping {"name": "Development Environment Basic Restrictions"}
2025-08-06 19:39:38.342 info Predefined dangerous commands initialization completed successfully
2025-08-06 19:39:38.356 error github.com/veops/oneterm/pkg/remote.GetAclToken failed {"url": "http://acl-api:5000/api/v1/acl/apps/token", "req": "{\"app_id\":\"5867e079dfd1437e9ae07576ab24b391\",\"secret_key\":\"65d34ec2a5e42add26741a7b487020a8\"}", "resp": "{\n \"message\": \"(pymysql.err.OperationalError) (1045, \\\"Access denied for user 'acl'@'172.30.0.5' (using password: YES)\\\")\\n(Background on this error at: https://sqlalche.me/e/14/e3q8)\"\n}"}
2025-08-06 19:39:38.356 fatal get resource type failed {"error": "(pymysql.err.OperationalError) (1045, \"Access denied for user 'acl'@'172.30.0.5' (using password: YES)\")\n(Background on this error at: https://sqlalche.me/e/14/e3q8)"}Metadata
Metadata
Assignees
Labels
No labels