Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for unauthenticated secret access #3289

Merged
merged 2 commits into from
Oct 23, 2018

Conversation

floreks
Copy link
Member

@floreks floreks commented Oct 11, 2018

Fix for a security issue reported by k8s security team. We will reveal all the information about the issue later on.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 11, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floreks

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 11, 2018
@floreks floreks requested a review from maciaszczykm October 11, 2018 19:34
@codecov
Copy link

codecov bot commented Oct 11, 2018

Codecov Report

Merging #3289 into master will decrease coverage by 0.01%.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #3289      +/-   ##
=========================================
- Coverage   54.61%   54.6%   -0.02%     
=========================================
  Files         565     565              
  Lines       12430   12433       +3     
=========================================
  Hits         6789    6789              
- Misses       5379    5382       +3     
  Partials      262     262
Impacted Files Coverage Δ
src/app/backend/auth/api/types.go 30.76% <ø> (ø) ⬆️
src/app/backend/auth/api/common.go 66.66% <0%> (-13.34%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cfc62d8...4016a2c. Read the comment docs.

@jessfraz
Copy link

Can you just return unauthenticated instead?

@maciaszczykm
Copy link
Member

@floreks Tested current solution and it works as it was expected.

zrzut ekranu 2018-10-12 o 09 13 32

We should investigate @jessfraz suggestion though.

@bryk
Copy link
Contributor

bryk commented Oct 12, 2018

That's a good quick fix solution. Although I suggest two follow ups:

  1. @jessfraz suggestion on unauthenticated when user sends no auth headers
  2. Changing default config to that secrets are not visible at all. I believe that'd better approach than the current one which has exclude list. I believe we can do this easily and prevent similar bugs in the future.
    WDYT?

@floreks
Copy link
Member Author

floreks commented Oct 12, 2018

@jessfraz suggestion on unauthenticated when user sends no auth headers

IMHO even if user is authenticated he should not have access to those dashboard exclusive resources. They are critical and all users should be blocked from viewing them. There is no point for users to actually view or modify them. They should be only accessible using kubectl. If we would follow this path then I guess "Unauthorized" is a correct error.

Changing default config to that secrets are not visible at all. I believe that'd better approach than the current one which has exclude list. I believe we can do this easily and prevent similar bugs in the future.
WDYT?

In case user tries to use direct link to access the resource should we just show 404 resource not found error? This could be a bit misleading as kubectl get secret xxx would still return it correctly.

@kubernetes kubernetes deleted a comment Oct 12, 2018
@maciaszczykm
Copy link
Member

@floreks I agree that we can block access in all scenarios, but what about blocking access to whole Dashboard when there is no auth token provided?

@floreks
Copy link
Member Author

floreks commented Oct 12, 2018

@maciaszczykm when there is no auth token it does not mean that no one is authenticated. It means that user is authenticated as the Dashboard user. Only in case where Skip option is disabled we should always redirect to the login page if user has not logged in.

@maciaszczykm
Copy link
Member

@floreks Yes, but perhaps we should disable Skip by default to improve security. There are plenty of users that try to use Dashboard without getting into details and using setup that "just works".

@liggitt
Copy link
Member

liggitt commented Oct 12, 2018

It means that user is authenticated as the Dashboard user

I would never want this behavior in a dashboard deployment I was responsible for. What can we do to enable requiring user login and prevent any possibility of use of the dashboard credentials via web requests to the dashboard?

{EncryptionKeyHolderName, EncryptionKeyHolderNamespace},
{CertificateHolderSecretName, CertificateHolderSecretNamespace},
}

// ShouldRejectRequest returns true if url contains name and namespace of resource that should be filtered out from
// dashboard.
func ShouldRejectRequest(url string) bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this method is basically "allow by default", with a list of specific exclusions. it is vulnerable to drifting from the actual permissions granted to the dashboard service account. I'd strongly recommend supporting a mode that requires user login and never allows dashboard users to make use of dashboard service account API permissions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to think how to achieve that as we have to support an alternative option also where our login mechanism is disabled and user relies on authentication header or dashboard privileges to use it.

@maciaszczykm
Copy link
Member

@liggitt I agree that this is something that we need to investigate and fix.

@floreks
Copy link
Member Author

floreks commented Oct 13, 2018

I would never want this behavior in a dashboard deployment I was responsible for. What can we do to enable requiring user login and prevent any possibility of use of the dashboard credentials via web requests to the dashboard?

We should first disable Skip option by default and not allow access to any views except login in case user has not logged in. This should be easy to do if login mechanism is enabled.

@2rs2ts 2rs2ts mentioned this pull request Oct 17, 2018
@jessfraz
Copy link

can we move this forward... thanks!

@maciaszczykm maciaszczykm merged commit 01b840c into kubernetes:master Oct 23, 2018
@maciaszczykm maciaszczykm deleted the security-fix branch October 23, 2018 06:46
@maciaszczykm
Copy link
Member

It's merged as a quick fix. We have to investigate how to disable skipping auth, so no one will be able to enter any other page than login if he is not authenticated already.

@jessfraz
Copy link

jessfraz commented Oct 23, 2018

I’d really love to see this fixed well the first time, even if it takes more time. Can you explain the problems with changing this as per @liggitt’s comments

@bryk
Copy link
Contributor

bryk commented Oct 25, 2018

@jessfraz do you perhaps know someone who could contribute the change? Seems like either we do with showing no secrets at all or disabling the "skip" option. Both of them sound like deleting code.

@philips
Copy link

philips commented Nov 28, 2018

@maciaszczykm @bryk was a longterm fix implemented?

@maciaszczykm
Copy link
Member

@philips not yet, it is still on our roadmap as we transition to the new version of the frontend.

@philips
Copy link

philips commented Nov 29, 2018 via email

@maciaszczykm
Copy link
Member

@philips #2672

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants