Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optionally require auth token/header for all dashboard requests #52

Open
AndersBennedsgaard opened this issue Mar 7, 2024 · 6 comments
Open

Optionally require auth token/header for all dashboard requests #52

AndersBennedsgaard opened this issue Mar 7, 2024 · 6 comments

Comments

@AndersBennedsgaard
Copy link

/kind feature

Why you need this feature:

It should really be possible to require users to be authenticated when interacting with Kubeflow, so I would like to be able to require authentication without using Istio

Describe the solution you'd like:

if (checkToken) {
    const token = req.headers.authorization;

    if (!token) {
        return res.status(401).send('Unauthorized - Missing token');
    }
}
@juliusvonkohout
Copy link
Member

/close

this belongs to kubeflow/manifests i think

@google-oss-prow Google OSS Prow
Copy link

@juliusvonkohout: Closing this issue.

In response to this:

/close

this belongs to kubeflow/manifests i think

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@AndersBennedsgaard
Copy link
Author

@juliusvonkohout please re-open. While it is possible to do this with Istio, or something else, this should really be handled in the code-base instead.

@juliusvonkohout
Copy link
Member

"It should really be possible to require users to be authenticated when interacting with Kubeflow, so I would like to be able to require authentication without using Istio"

Kubeflow Platform does not work without istio. You can install the standalone components without istio or multi user support kubeflow/website#3724

The authentication stuff (oauth2-proxy) is in kubeflow/manifests as well

@AndersBennedsgaard
Copy link
Author

I'm not arguing that Kubeflow should remove Istio as a required dependency (even though I would be very happy if this were to happen).
I'm just saying that looking for a ENFORCE_AUTHENTICATION environment variable in the central dashboard and other UIs and returning 401 if users and other services doesn't have the user ID header set (or other authentication mechanisms) should be very possible - and arguably much more secure than enforcing it through one of many reverse proxies in front of the solution.

The reason I hit this issue came from a minor misconfiguration in my installation of Kubeflow (or actually Istio), which allowed everyone and everything to do stuff in the central dashboard, without any indication of such an error. Setting ENFORCE_AUTHENTICATION or something else in the central dashboard, would make it possible for admins to be completely sure that there are no non-authorizaed users messing around in your solution.

@juliusvonkohout
Copy link
Member

Ok the central dashboard part belongs to kubeflow/kubeflow (will be migrated in the next months), but most other things are probably more related to kubeflow/manifests.

@juliusvonkohout
Copy link
Member

/reopen

To split this up and migrate later on

@google-oss-prow google-oss-prow bot reopened this May 25, 2024
@google-oss-prow Google OSS Prow
Copy link

@juliusvonkohout: Reopened this issue.

In response to this:

/reopen

To split this up and migrate later on

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@thesuperzapper thesuperzapper changed the title Optionally require auth token Optionally require auth token/header for all dashboard requests Jul 16, 2024
@thesuperzapper
Copy link
Member

I am going to assume this request is about Kubeflow Dashboard, and rejecting requests that don't have kubeflow-userid header set, rather than treating the user as "anonymous" but still allowing them to browse the UI.

@AndersBennedsgaard
Copy link
Author

I am going to assume this request is about Kubeflow Dashboard, and rejecting requests that don't have kubeflow-userid header set, rather than treating the user as "anonymous" but still allowing them to browse the UI.

Yes, exactly. Sorry if my poor explanation didn't get that across 😅

@andreyvelich
Copy link
Member

/transfer dashboard

@google-oss-prow Google OSS Prow
Copy link

@AndersBennedsgaard: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to this:

/kind feature

Why you need this feature:

It should really be possible to require users to be authenticated when interacting with Kubeflow, so I would like to be able to require authentication without using Istio

Describe the solution you'd like:

if (checkToken) {
   const token = req.headers.authorization;

   if (!token) {
       return res.status(401).send('Unauthorized - Missing token');
   }
}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@google-oss-prow google-oss-prow bot transferred this issue from kubeflow/kubeflow Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Needs Triage
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thesuperzapper @andreyvelich @AndersBennedsgaard @juliusvonkohout