Skip to content

security: drop unused MINIO_* env vars from backend service#36

Merged
gordonmurray merged 1 commit into
mainfrom
security/drop-unused-backend-env-vars
Apr 15, 2026
Merged

security: drop unused MINIO_* env vars from backend service#36
gordonmurray merged 1 commit into
mainfrom
security/drop-unused-backend-env-vars

Conversation

@gordonmurray
Copy link
Copy Markdown
Owner

@gordonmurray gordonmurray commented Apr 15, 2026

Closes #27.

What

  • Removes `MINIO_ENDPOINT` / `MINIO_ACCESS_KEY` / `MINIO_SECRET_KEY` from the backend service in `docker-compose.yml`. The backend never read them — see `grep -n 'MINIO_' backend/main.py`, no matches.
  • Adds a Credential Model section to the README documenting:
    • User query credentials are passed per-request in the API body, applied to a short-lived in-memory DuckDB session, and discarded on connection close. Never env, never disk, never logged.
    • Self-hosters should use Docker secrets (`*_FILE` convention) for any service-level creds they add — links to the Docker docs.
    • The bundled demo MinIO uses plain env vars for the public `cloudfloe` / `cloudfloe123` defaults; that pattern is for demo convenience only and shouldn't be copied for production.
  • Tidied the README by removing all horizontal-rule separators — the section headings already provide structure.

Why this scope

The original issue text was inherited from a CLAUDE.md note about credentials leaking via `docker inspect`. On audit that risk only exists in the commercial product (cloudfloe.com), not OSS — OSS user creds were never in env vars. So the right fix here is removing dead surface (the unused vars) and documenting the model, rather than retrofitting Docker secrets onto demo creds that are public anyway.

Verified end-to-end as a first-time user

`docker compose down -v && docker compose up --build`, then via the actual UI in a real (headless) Chrome:

  1. Open http://localhost:3000 — page loads, all assets 200, no console errors
  2. Pick MinIO, fill table path + demo creds + endpoint, click Test Connection
  3. → "Connection successful" + tableInfo panel: Format iceberg-v2 | Rows 37,537 | Files 1 | Last snapshot 2m ago
  4. Suggested query auto-loads in the editor
  5. Click Run Query → "Query completed in 94ms", 10 rows of real movie data rendered

Side finding (not in this PR)

During the e2e test I caught a real first-time-user bug: switching the Storage Type dropdown to MinIO sets the endpoint placeholder but not the value, so a clicker who doesn't notice the difference gets 400 from AWS. Filed as #35 — easy fix, separate scope.

@gordonmurray
security: drop unused MINIO_* env vars from backend service
1d6dc63 
The backend service had MINIO_ENDPOINT / MINIO_ACCESS_KEY /
MINIO_SECRET_KEY in its env block but never read them — credentials
arrive per-request in the API body and are applied to a short-lived
in-memory DuckDB session. The env vars existed only as leak surface
visible via 'docker inspect'.

Replaced with a comment pointing readers at the new README section.

Also adds a 'Credential Model' section to the README spelling out how
user query credentials flow through the backend (per-request, in-memory,
never persisted) and recommends Docker secrets / IAM roles for any
service-level credentials self-hosters add later.

Tidied up the README at the same time — removed all horizontal-rule
separators since the section headings already provide the visual breaks.

Closes #27
@gordonmurray gordonmurray merged commit 7210b66 into main Apr 15, 2026
4 checks passed
@gordonmurray gordonmurray deleted the security/drop-unused-backend-env-vars branch April 15, 2026 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: pass S3 credentials via Docker secrets, not environment variables

1 participant

@gordonmurray