Passbolt

For security and also for maintenance reasons, it is not recommended to hard-code things like usernames and passwords into KNIME workflow nodes (or anywhere else in source code for that matter...)

If you are a KNIME Business Hub user, you can use the features available there to store secrets (usernames, passwords, API keys, etc...). 

If not, there is now a very good alternative available :  the Passbolt open source Password and secret management system and the KNIME nodes provided by DataNautics to interface with this system.

I wanted to try this out and adapt my Cryptocurrency trading agent to use it.

In the screenshot below I am using the web interface to the Passbolt server DataNautics have give me access to and there I have created a Password entry for the Postgresql database I am using. This entry in this case just contains the database username and password

Next, I have created a simple workflow to test this out.

The first thing that needs to be done is to install the 'Passbolt Integration' extension nodes supplied by DataNautics.

Then, the easiest way is to configure a Passbolt Mountpoint under Preferences - Passbolt - Server Mountpoints. The values of Server URL and User UUID will be supplied to you by an email you receive when the Passbolt administrator sets up your user.

Next, add a Passbolt Connector node.

Next, add a Passbolt Get Credential node. To configure it, the easiest way is to enter the name of the credential you entered in Passbolt (PGIonos in my example).

Next, add a Passbolt Credential to Flow Variables node. No configuration needs to be done here.

Then, connect the flow variable output to the PostgresSQL Connector. In the connector's configuration, select 'Credentials' under 'authentication' and select the credential from the drop down. 

And that's it, you should now be able to access the database. And as you can see from the screenshot, it works.

Suppose you have 100 workflows using this data base connection and you change the data base password, in stead of having to modify these 100 workflows you would just have to modify the one entry in the Passbolt user interface.

There is a lot more to Passbolt, I intend to add stuff to this topic later on...

Below, you can see how I have updated my cryptocurrency trading agent to work with Passbolt and avoid hardcoding the username and password in the Database connector node (changes in red box):

And below you can see how I retrieve the API key for the Revolut API from Passbolt through a Passbolt Credential to Python node which I can then use in my Place Order Python node:

In order to make this work, I first have to add the KNIME Passbolt PY package to the Python environment I am using with KNIME. On my system this is done with the following code (executed from Terminal in Linux Mint).

(base) marc@marc-Lenovo-Yoga-500-14IBD:~$ mamba activate py39_knime

(py39_knime) marc@marc-Lenovo-Yoga-500-14IBD:~$ pip install "knime-passbolt-py>=0.1.0"

Collecting knime-passbolt-py>=0.1.0

  Downloading knime_passbolt_py-0.1.0-py3-none-any.whl.metadata (4.1 kB)

Downloading knime_passbolt_py-0.1.0-py3-none-any.whl (12 kB)

Installing collected packages: knime-passbolt-py

Successfully installed knime-passbolt-py-0.1.0

And below is the code I have added to my Python Place Order node to retrieve the password (in this case the API key from Revolut) :

cred = knio.input_objects[0]

with cred as c:

   # The wrapper currently exposes only the HTTP-Basic header form.

   # Decode the base64 to recover the password the PDF needs.

   header = c.basic_auth_header()

   # print(header)

   _, b64 = header.split(b" ", 1)

   _user, _, password = base64.b64decode(b64).decode("utf-8").partition(":")

   print(_user)

   print(password)