[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Broker Auth Issue



When you install rubygem-openshift-origin-auth-remote-user it only puts a sample config file in /etc/openshift/plugins.d.

Have you configured /etc/openshift/console.conf to use remote_user? It default to basic.

On 3/22/13 12:54 PM, Diego Spinola Castro wrote:
Finally i figured out that my broker hasn't /etc/openshift/plugins.d/openshift-auth-remote-user.conf with TRUSTED_HEADER="REMOTE_USER".

Now, curl requests are secured! but console auth is broken.

Sending you console auth remote config and console.conf:

console-auth-remote-user.conf: http://pastebin.com/brvHsRcB

broker production logs:
Started GET "/broker/rest/domains/diego/applications.json" for 54.244.2.239 at 2013-03-22 15:45:47 -0400
Processing by ApplicationsController#index as JSON
  Parameters: {"domain_id"=>"diego"}
Filter chain halted as :authenticate_user! rendered or redirected
Completed 401 Unauthorized in 1ms


Started GET "/broker/rest/domains/diego/applications.json" for 54.244.2.239 at 2013-03-22 15:45:53 -0400
Processing by ApplicationsController#index as JSON
  Parameters: {"domain_id"=>"diego"}
Filter chain halted as :authenticate_user! rendered or redirected
Completed 401 Unauthorized in 1ms



2013/3/22 William DeCoste <wdecoste redhat com>
With the default auth-mongo the curl call will fail without the correct credentials.


On 3/22/13 10:17 AM, William DeCoste wrote:
Diego,

I am still looking into the curl/User-Agent issue but could you test with rhc?

1) Edit ~/.openshift/express.conf and set use_authentication_tokens=false.
2) Remove ~/openshift/token*
3) Try to create an app using an invalid password

The default settings create and use an authentication token and ignore the password.

Thanks -Bill

On 3/21/13 2:09 PM, Diego Spinola Castro wrote:
Hi, i've running in a strange behavior of broker and auth system.
I have a basic remote-auth configured and everthing works fine since i tried do auth with a invalid user via console and be able to access it.
Things get interesting when i use curl to access broker, looks like doesn't matter what if user is in auth file or not, broker always accept it and give access.

To reproduce:
lets try with user: invalid invalid com and password invalid
- Console
 Try login with a invalid user and password. You will be able to create a namespace and apps

- Curl
 curl -k https://broker.example.com/broker/rest/domains -X GET -u "invalid invalid com:" -H 'User-Agent: OpenShift'

 Will be able to access api without password, even access to namespaces of another users passing User-Agent: Openshift header.

Could you point me a more secure solution?


_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

-- 
Bill DeCoste
Principal Software Engineer, Red Hat
978-204-0920
wdecoste redhat com


_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

-- 
Bill DeCoste
Principal Software Engineer, Red Hat
978-204-0920
wdecoste redhat com

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev



-- 
Bill DeCoste
Principal Software Engineer, Red Hat
978-204-0920
wdecoste redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]