Ability to reload credentials without restart?

Good after noon all - I hope everyone is enjoying their weekend …

Does anyone know if there’s a way of re-reading a credentials file without restarting Orthanc (and therefore everything else it’s doing)? I keep my credentials in a separate file so that no-one need to touch the main config file, however when I need to update those credentials, I have to restart the Orthanc server completely.

I appreciate that everything gets loaded up into memory once the server starts, but I do wonder if there’s a way of having Orthanc check the hash of a creds file and then, if it differs from the one it’s currently holding in memory, would reload the creds file, replacing it’s contents with the content it currently holds. That will allow dynamic updating of credentials without restarting the entire server.

My thought process is:

  1. orthanc.json would have a couple of entries in it’s config file “CredentialsFile” : “cred.json”, “CredentialsFileRead” : “300” denoting the file containing the credentials and the time, in seconds between each re-read of the file
  2. When Orthanc starts up, it calculates the hash of the CredentialsFile and stores the hash in memory
  3. After CredentialsFileRead seconds, Orthanc calculates the hash of the cred file and compares it with what’s in memory.
  4. If the hash is the same, it waits another (300) seconds.
  5. If the hash is different, it re-reads the creds file and then replaces what’s currently in memory with the contents of the updated file
  6. Wait another (300) seconds
    I appreciate that there’s going to be a balance between the cycles it takes re-reading the file versus calculating the hash, so perhaps there’s a better way of checking the file (maybe the modified timestamp of the file itself would be enough?)

If this could happen, then it could also apply to re-reading other security related fiels, such as the combined client TLS certificates file - same thing applies really.

Thoughts?

My thought process here is that it enables interaction with other systems : if they update the credentials file through their own mechanism, knowing that Orthanc would apply those changes within a defined period…

Hello,

I don’t think this is a desirable feature to be put in the core of Orthanc.

Orthanc is designed as a microservice, and user authentication should be handled at a higher level. The best solution would be to have a PHP/Django/whatever… Web application that manages the users and that has a single, privileged access to the REST API of Orthanc (with an “admin” user) to act as a proxy.

Note that if you need a more flexible authorization scheme directly inside Orthanc (for instance using a token in the HTTP headers), you can implement it as a Python plugin:
https://book.orthanc-server.com/plugins/python.html#forbid-or-allow-access-to-rest-resources-authorization-new-in-3-0

Maybe the so-called “advanced authorization plugin” could be of some help to you:

https://book.orthanc-server.com/plugins/authorization.html

Regards,
Sébastien-

Hi Dave,

Note that you can reload the user credentials (and actually all Orthanc config) by sending an empty POST to /tools/reset. It is almost equivalent as restarting Orthanc except that the Orthanc process stays active.

HTH,

Alain.

Awesome - this should also reload any mutual client TLS certificates too …

Thanks for the direction Alain