-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for unauthenticated secret access #3289
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: floreks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov Report
@@ Coverage Diff @@
## master #3289 +/- ##
=========================================
- Coverage 54.61% 54.6% -0.02%
=========================================
Files 565 565
Lines 12430 12433 +3
=========================================
Hits 6789 6789
- Misses 5379 5382 +3
Partials 262 262
Continue to review full report at Codecov.
|
Can you just return unauthenticated instead? |
That's a good quick fix solution. Although I suggest two follow ups:
|
IMHO even if user is authenticated he should not have access to those dashboard exclusive resources. They are critical and all users should be blocked from viewing them. There is no point for users to actually view or modify them. They should be only accessible using
In case user tries to use direct link to access the resource should we just show 404 resource not found error? This could be a bit misleading as |
@floreks I agree that we can block access in all scenarios, but what about blocking access to whole Dashboard when there is no auth token provided? |
@maciaszczykm when there is no auth token it does not mean that no one is authenticated. It means that user is authenticated as the Dashboard user. Only in case where |
@floreks Yes, but perhaps we should disable |
I would never want this behavior in a dashboard deployment I was responsible for. What can we do to enable requiring user login and prevent any possibility of use of the dashboard credentials via web requests to the dashboard? |
{EncryptionKeyHolderName, EncryptionKeyHolderNamespace}, | ||
{CertificateHolderSecretName, CertificateHolderSecretNamespace}, | ||
} | ||
|
||
// ShouldRejectRequest returns true if url contains name and namespace of resource that should be filtered out from | ||
// dashboard. | ||
func ShouldRejectRequest(url string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this method is basically "allow by default", with a list of specific exclusions. it is vulnerable to drifting from the actual permissions granted to the dashboard service account. I'd strongly recommend supporting a mode that requires user login and never allows dashboard users to make use of dashboard service account API permissions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have to think how to achieve that as we have to support an alternative option also where our login mechanism is disabled and user relies on authentication header or dashboard privileges to use it.
@liggitt I agree that this is something that we need to investigate and fix. |
We should first disable |
can we move this forward... thanks! |
It's merged as a quick fix. We have to investigate how to disable skipping auth, so no one will be able to enter any other page than login if he is not authenticated already. |
I’d really love to see this fixed well the first time, even if it takes more time. Can you explain the problems with changing this as per @liggitt’s comments |
@jessfraz do you perhaps know someone who could contribute the change? Seems like either we do with showing no secrets at all or disabling the "skip" option. Both of them sound like deleting code. |
@maciaszczykm @bryk was a longterm fix implemented? |
@philips not yet, it is still on our roadmap as we transition to the new version of the frontend. |
Can you file a new issue so I can watch that one?
…On Wed, Nov 28, 2018 at 11:19 PM Marcin Maciaszczyk < ***@***.***> wrote:
@philips <https://github.com/philips> not yet, it is still on our roadmap
as we transition to the new version of the frontend.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3289 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AACDCPmDuLODjv01RkjbtwgkFPSoP9Ylks5uz4qFgaJpZM4XYOX5>
.
|
Fix for a security issue reported by k8s security team. We will reveal all the information about the issue later on.