[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Broker Auth Issue


I am still looking into the curl/User-Agent issue but could you test with rhc?

1) Edit ~/.openshift/express.conf and set use_authentication_tokens=false.
2) Remove ~/openshift/token*
3) Try to create an app using an invalid password

The default settings create and use an authentication token and ignore the password.

Thanks -Bill

On 3/21/13 2:09 PM, Diego Spinola Castro wrote:
Hi, i've running in a strange behavior of broker and auth system.
I have a basic remote-auth configured and everthing works fine since i tried do auth with a invalid user via console and be able to access it.
Things get interesting when i use curl to access broker, looks like doesn't matter what if user is in auth file or not, broker always accept it and give access.

To reproduce:
lets try with user: invalid invalid com and password invalid
- Console
 Try login with a invalid user and password. You will be able to create a namespace and apps

- Curl
 curl -k https://broker.example.com/broker/rest/domains -X GET -u "invalid invalid com:" -H 'User-Agent: OpenShift'

 Will be able to access api without password, even access to namespaces of another users passing User-Agent: Openshift header.

Could you point me a more secure solution?

dev mailing list
dev lists openshift redhat com

Bill DeCoste
Principal Software Engineer, Red Hat
wdecoste redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]