Add support for META_PASSWORD_FILE (#6438)

Author: eakman-datadog

docs/en/administration/metadata/mysql_best_practices.md

@@ -21,6 +21,13 @@ export META_PASSWORD=mypassword
 juicefs mount -d "mysql://user:@(192.168.1.6:3306)/juicefs" /mnt/jfs
 ```
 
+Similarly, `META_PASSWORD_FILE` can be used to provide the database password as a file:
+
+```shell
+export META_PASSWORD_FILE=/secret/mypassword.txt
+juicefs mount -d "mysql://user:@(192.168.1.6:3306)/juicefs" /mnt/jfs
+```
+
 ## Database connection control
 
 MySQL is a multiple threads database, every client connection need a dedicate server thread, limition of total connections and new connects are prefered. JuiceFS now provides the following options for better control of the connections:

docs/en/administration/metadata/postgresql_best_practices.md

@@ -28,7 +28,12 @@ export META_PASSWORD=mypassword
 juicefs mount -d "postgres://[email protected]:5432/juicefs" /mnt/jfs
 ```
 
-## Database connection control
+Similarly, `META_PASSWORD_FILE` can be used to provide the database password as a file:
+
+```shell
+export META_PASSWORD_FILE=/secret/mypassword.txt
+juicefs mount -d "postgres://[email protected]:5432/juicefs" /mnt/jfs
+```
 
 PostgreSQL is a multiple process database, every client connection need a dedicate server process, limition of total connections and new connects are prefered. JuiceFS now provides the following options for better control of the connections:
 

docs/en/reference/command_reference.mdx

@@ -151,6 +151,8 @@ juicefs format redis://localhost myjfs --storage=s3 --bucket=https://mybucket.s3
 juicefs format mysql://jfs:mypassword@(127.0.0.1:3306)/juicefs myjfs
 # A safer alternative
 META_PASSWORD=mypassword juicefs format mysql://jfs:@(127.0.0.1:3306)/juicefs myjfs
+# Provide password from file
+META_PASSWORD_FILE=/secret/mypassword.txt juicefs format mysql://jfs:@(127.0.0.1:3306)/juicefs myjfs
 
 # Create a volume with quota enabled
 juicefs format sqlite3://myjfs.db myjfs --inodes=1000000 --capacity=102400

docs/en/reference/how_to_set_up_metadata_engine.md

@@ -83,6 +83,12 @@ For security purposes, it is recommended to pass the password using the environm
 export META_PASSWORD=mypassword
 ```
 
+Similarly, the password can be provided from a file using:
+
+```shell
+export META_PASSWORD_FILE=/secret/mypassword.txt
+```
+
 Then there is no need to set a password in the metadata URL.
 
 ```shell
@@ -108,6 +114,13 @@ export META_PASSWORD=mypassword
 juicefs mount -d "redis://192.168.1.6:6379/1" /mnt/jfs
 ```
 
+Similarly, the password can be provided from a file using as follows:
+
+```shell
+export META_PASSWORD_FILE=/secret/mypassword.txt
+juicefs mount -d "redis://192.168.1.6:6379/1" /mnt/jfs
+```
+
 #### Set up TLS
 
 JuiceFS supports both TLS server-side encryption authentication and mTLS mutual encryption authentication connections to Redis. When connecting to Redis via TLS or mTLS, use the `rediss://` protocol header. However, when using TLS server-side encryption authentication, it is not necessary to specify the client certificate and private key.
@@ -503,6 +516,17 @@ juicefs format \
     pics
 ```
 
+Or equivalently:
+
+```shell
+export META_PASSWORD_FILE="/secret/mypassword.txt"
+juicefs format \
+    --storage s3 \
+    ... \
+    "mysql://user@(192.168.1.6:3306)/juicefs" \
+    pics
+```
+
 To connect to a TLS enabled MySQL server, pass the `tls=true` parameter (or `tls=skip-verify` if using a self-signed certificate):
 
 ```shell
@@ -526,6 +550,13 @@ export META_PASSWORD="mypassword"
 juicefs mount -d "mysql://user@(192.168.1.6:3306)/juicefs" /mnt/jfs
 ```
 
+Passing the password using a file is also supported as follows:
+
+```shell
+export META_PASSWORD_FILE="/secret/mypassword.txt"
+juicefs mount -d "mysql://user@(192.168.1.6:3306)/juicefs" /mnt/jfs
+```
+
 To connect to a TLS enabled MySQL server, pass the `tls=true` parameter (or `tls=skip-verify` if using a self-signed certificate):
 
 ```shell
@@ -586,6 +617,17 @@ juicefs format \
     pics
 ```
 
+The password can also be passed using a file as follows:
+
+```shell
+export META_PASSWORD_FILE="/secret/mypassword.txt"
+juicefs format \
+    --storage s3 \
+    ... \
+    "postgres://[email protected]:5432/juicefs" \
+    pics
+```
+
 :::note
 
 1. JuiceFS uses public [schema](https://www.postgresql.org/docs/current/ddl-schemas.html) by default, if you want to use a `non-public schema`,  you need to specify `search_path` in the connection string parameter. e.g `postgres://user:[email protected]:5432/juicefs?search_path=pguser1`
@@ -608,6 +650,13 @@ export META_PASSWORD="mypassword"
 juicefs mount -d "postgres://[email protected]:5432/juicefs" /mnt/jfs
 ```
 
+Passing a password using a file is also supported as follows:
+
+```shell
+export META_PASSWORD_FILE="/secret/mypassword.txt"
+juicefs mount -d "postgres://[email protected]:5432/juicefs" /mnt/jfs
+```
+
 #### Troubleshooting
 
 The JuiceFS client connects to PostgreSQL via SSL encryption by default. If you encountered an error saying `pq: SSL is not enabled on the server`, you need to enable SSL encryption for PostgreSQL according to your own business scenario, or you can disable it by adding a parameter to the metadata URL Validation.

pkg/meta/interface.go

@@ -539,7 +539,7 @@ func Register(name string, register Creator) {
 	metaDrivers[name] = register
 }
 
-func setPasswordFromEnv(uri string) (string, error) {
+func injectPasswordIntoURI(uri, password string) (string, error) {
 	atIndex := strings.LastIndex(uri, "@")
 	if atIndex == -1 {
 		return "", fmt.Errorf("invalid uri: %s", uri)
@@ -554,10 +554,37 @@ func setPasswordFromEnv(uri string) (string, error) {
 	if len(s) == 2 && s[1] != "" {
 		return uri, nil
 	}
-	pwd := url.UserPassword("", os.Getenv("META_PASSWORD")) // escape only password
+	pwd := url.UserPassword("", password) // escape only password
 	return uri[:dIndex] + s[0] + pwd.String() + uri[atIndex:], nil
 }
 
+func readPasswordFromFile(filePath string) (string, error) {
+	content, err := os.ReadFile(filePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to read password file %s: %w", filePath, err)
+	}
+	return strings.TrimSpace(string(content)), nil
+}
+
+func setPasswordFromEnv(uri string) (string, error) {
+	var password string
+	var err error
+
+	if metaPassword := os.Getenv("META_PASSWORD"); metaPassword != "" {
+		password = metaPassword
+	} else if passwordFile := os.Getenv("META_PASSWORD_FILE"); passwordFile != "" {
+		password, err = readPasswordFromFile(passwordFile)
+		if err != nil {
+			return "", err
+		}
+	} else {
+		// No password source available, return original URI
+		return uri, nil
+	}
+
+	return injectPasswordIntoURI(uri, password)
+}
+
 // NewClient creates a Meta client for given uri.
 func NewClient(uri string, conf *Config) Meta {
 	var err error
@@ -569,7 +596,7 @@ func NewClient(uri string, conf *Config) Meta {
 		logger.Fatalf("invalid uri: %s", uri)
 	}
 	driver := uri[:p]
-	if os.Getenv("META_PASSWORD") != "" && (driver == "mysql" || driver == "postgres") {
+	if driver == "mysql" || driver == "postgres" {
 		if uri, err = setPasswordFromEnv(uri); err != nil {
 			logger.Fatalf(err.Error())
 		}