[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Broker Auth Issue



Hi, i've running in a strange behavior of broker and auth system.
I have a basic remote-auth configured and everthing works fine since i tried do auth with a invalid user via console and be able to access it.
Things get interesting when i use curl to access broker, looks like doesn't matter what if user is in auth file or not, broker always accept it and give access.

To reproduce:
lets try with user: invalid invalid com and password invalid
- Console
 Try login with a invalid user and password. You will be able to create a namespace and apps

- Curl
 curl -k https://broker.example.com/broker/rest/domains -X GET -u "invalid invalid com:" -H 'User-Agent: OpenShift'

 Will be able to access api without password, even access to namespaces of another users passing User-Agent: Openshift header.

Could you point me a more secure solution?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]