[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fw: Re: Fwd: Broker Auth Issue



-------- Original Message --------
Subject: 	Broker Auth Issue
Date: 	Thu, 21 Mar 2013 18:09:32 -0300
From: 	Diego Spinola Castro <spinolacastro gmail com>
To: 	dev lists openshift redhat com



Hi, i've running in a strange behavior of broker and auth system.
I have a basic remote-auth configured and everthing works fine since i
tried do auth with a invalid user via console and be able to access it.
Things get interesting when i use curl to access broker, looks like
doesn't matter what if user is in auth file or not, broker always accept
it and give access.

To reproduce:
lets try with user: invalid invalid com <mailto:invalid invalid com> and
password invalid
- Console
Try login with a invalid user and password. You will be able to create
a namespace and apps

- Curl
curl -k https://broker.example.com/broker/rest/domains -X GET -u
"invalid invalid com <mailto:invalid invalid com>:" -H 'User-Agent:
OpenShift'

Will be able to access api without password, even access to namespaces
of another users passing User-Agent: Openshift header.

Could you point me a more secure solution?



_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


Hi Diego,

I'd like to understand a bit more about the problem so that I can give you
some helpful suggestions. First, where did you install openshift from, and
what did you use to configure it. For example, did you install Origin from
your own build of rpms? Or did you install this from an OpenShift Enterprise
installation via a Red Hat subscription?

/etc/openshift/plugins.d is where the openshift-origin-auth-remote-user.conf
resides. This tells the broker to trust the REMOTE_USER header.

Then you'll have two locations to configure apache based authentication (one
for the web console, and one for the broker).
/var/www/openshift/broker/httpd/conf.d/
/var/www/openshift/console/httpd/conf.d/

The broker should use openshift-origin-auth-remote-user.conf
The console should use openshift-origin-auth-remote-user.conf

*Note*: although the files are named the same, the contents are different.
Also, don't forget to generate your htpassd file.
https://access.redhat.com/knowledge/docs/en-US/OpenShift_Enterprise/1/html-single/Deployment_Guide/index.html#sect-OpenShift_Enterprise-Deployment_Guide-Installing_and_Configuring_the_Broker_Application-Configuring_OpenShift_Enterprise_Authentication

If you continue to have issues, you can use the oo-diagnositcs script to help
find any misconfiguration.

https://github.com/openshift/origin-server/blob/master/util/oo-diagnostics

- Chris




----- End forwarded message -----

Attachment: pgp7wMewTb6xH.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]