[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Broker LDAP Auth



On Fri, May 24, 2013 at 08:32:03AM -0400, Clayton Coleman wrote:
> On May 24, 2013, at 7:00 AM, Romain <filirom1 gmail com> wrote:
> 
> > With mongo auth, environment.json works without auth
> > 
> > 	$ curl -k https://localhost/broker/rest/environment.json
> > 	{"data":{"domain_suffix":"mymachine.me","download_cartridges_enabled":true},"messages":[],"status":"ok","supported_api_versions":[1.0,1.1,1.2,1.3,1.4],"type":"environment","version":"1.4"}
> > 
> > 
> > But with LDAP plugin auth, environment.json fails with authorization required
> > 

[...]

> > So I added so following lines to the httpd config
> > 
> >   # The following APIs do not require auth:
> >   <Location /broker/rest/cartridges*>
> >       Allow from all
> >   </Location>
> > 
> >   <Location /broker/rest/api*>
> >       Allow from all
> >   </Location>
> > 
> > + <Location /broker/rest/environment*>
> > +     Allow from all
> > + </Location>
> > 
> > Is it ok ?
>
> Yes, letting environment remain unprotected is ok (that matches Openshift.com)

For this change not to be forgotten, I've now created

	https://github.com/openshift/origin-server/pull/2788

to get the change to all three .conf.sample files, even if I'm not
sure why the unauthenticated request works with Basic Auth without
the patch. But for consistency sake, all three mechanisms should
probably be configured the same.

Another possible approach would be to move the 'Allow from all'
Location directives to some separate, common .conf file.

-- 
Jan Pazdziora | adelton at #ipa*, #brno
Principal Software Engineer, Identity Management Engineering, Red Hat


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]