Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dashboard must not send keycloak token to plugin and devfile registries #14627

Closed
1 of 3 tasks
sleshchenko opened this issue Sep 23, 2019 · 3 comments
Closed
1 of 3 tasks

Dashboard must not send keycloak token to plugin and devfile registries #14627

sleshchenko opened this issue Sep 23, 2019 · 3 comments
Assignees
@olexii4
Labels
area/dashboard kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.

Comments

@sleshchenko
Copy link
Member

Describe the bug

Plugin and Devfile registries are designed as free services that do not require any authentication.
Sending Che Keycloak tokens to them are non-necessary and potentially not a safe thing to do.
Dashboard must not send keycloak token to plugin and devfile registries
Screenshot_20190911_145903

Che version

  • latest
  • nightly
  • other: please specify

Steps to reproduce

  1. Open Development Tools in browser.
  2. Open Che Dashboard.
  3. Check requests to plugin and devfile registries.

Expected behavior

Keycloak token is not sent to them.
@sleshchenko sleshchenko added kind/bug Outline of a bug - must adhere to the bug report template. area/dashboard labels Sep 23, 2019
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Sep 23, 2019
@ibuziuk ibuziuk added severity/P1 Has a major impact to usage or development of the system. team/ide and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. team/ide labels Sep 23, 2019
@evidolob evidolob mentioned this issue Oct 31, 2019
Closed
22 tasks
@sunix
Copy link
Contributor

sunix commented Nov 19, 2019
edited
Loading

shouldn't it be an option ? if a team is using che in a public cloud and would like to have registry private ?
@slemeur @l0rd

@sunix
Copy link
Contributor

sunix commented Nov 19, 2019

maybe devfile and plugin registry should be secured

@sleshchenko
Copy link
Member Author

@sunix I would distinct two issues here:

  1. Che Server token must not be sent to plugin/devfile registries.
  2. Add an ability to configure plugin/devfile registries as secure (should we use keycloak token for that or another one - it's implementation details). It may seem easy to solve but if we take into account that users may want to use different registries (some maybe not secured by the same Keycloak as is used for Che Server) and Che Server should be able to access all of them(maybe it should be reworked and client should provide everything downloaded) then it does not seem so easy to solve and IMHO it should be solved separately, if we need it.

@olexii4 olexii4 self-assigned this Nov 24, 2019
@olexii4 olexii4 mentioned this issue Nov 25, 2019
Merged
@olexii4 olexii4 closed this as completed Nov 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@olexii4 olexii4

Labels
area/dashboard kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sunix @ibuziuk @sleshchenko @olexii4 @che-bot