-------- Original Message -------- Subject: Broker Auth Issue Date: Thu, 21 Mar 2013 18:09:32 -0300 From: Diego Spinola Castro <spinolacastro gmail com> To: dev lists openshift redhat com Hi, i've running in a strange behavior of broker and auth system. I have a basic remote-auth configured and everthing works fine since i tried do auth with a invalid user via console and be able to access it. Things get interesting when i use curl to access broker, looks like doesn't matter what if user is in auth file or not, broker always accept it and give access. To reproduce: lets try with user: invalid invalid com <mailto:invalid invalid com> and password invalid - Console Try login with a invalid user and password. You will be able to create a namespace and apps - Curl curl -k https://broker.example.com/broker/rest/domains -X GET -u "invalid invalid com <mailto:invalid invalid com>:" -H 'User-Agent: OpenShift' Will be able to access api without password, even access to namespaces of another users passing User-Agent: Openshift header. Could you point me a more secure solution?
_______________________________________________ dev mailing list dev lists openshift redhat com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
Hi Diego, I'd like to understand a bit more about the problem so that I can give you some helpful suggestions. First, where did you install openshift from, and what did you use to configure it. For example, did you install Origin from your own build of rpms? Or did you install this from an OpenShift Enterprise installation via a Red Hat subscription? /etc/openshift/plugins.d is where the openshift-origin-auth-remote-user.conf resides. This tells the broker to trust the REMOTE_USER header. Then you'll have two locations to configure apache based authentication (one for the web console, and one for the broker). /var/www/openshift/broker/httpd/conf.d/ /var/www/openshift/console/httpd/conf.d/ The broker should use openshift-origin-auth-remote-user.conf The console should use openshift-origin-auth-remote-user.conf *Note*: although the files are named the same, the contents are different. Also, don't forget to generate your htpassd file. https://access.redhat.com/knowledge/docs/en-US/OpenShift_Enterprise/1/html-single/Deployment_Guide/index.html#sect-OpenShift_Enterprise-Deployment_Guide-Installing_and_Configuring_the_Broker_Application-Configuring_OpenShift_Enterprise_Authentication If you continue to have issues, you can use the oo-diagnositcs script to help find any misconfiguration. https://github.com/openshift/origin-server/blob/master/util/oo-diagnostics - Chris ----- End forwarded message -----
Description: PGP signature