You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The dummy auth plugin allows to impersonate any user and to get any permission, which is very useful for dev and test.
But if this plugin ends up enabled in a production environment by mistake, it would be a big security issue.
We should find a way to make sure this cannot happen. Some ideas:
Ideally, find some way to make it impossible to enable it in production
Otherwise, add a safety layer (ask for confirmation when enabled at startup?)
Any other idea?
The text was updated successfully, but these errors were encountered:
I wonder if it should made a little bit less dummy.
An authentication that reads the users/password/groups from files file, like e.d: wildfly does, could be a good starting point and useful for testing. It makes a basic protection because you still need a username and a password that is configured in your server.
I have seen warnings when starting different services/apps if a configuration parameter is not expected in production but I might not want to stop the process (just in case a health-check mechanism is in place). If the dummy-auth is enabled it can be warned.
Nevertheless, with or without dummies, my opinion is that the deployment has to be done carefully and with no mistakes.
The dummy auth plugin allows to impersonate any user and to get any permission, which is very useful for dev and test.
But if this plugin ends up enabled in a production environment by mistake, it would be a big security issue.
We should find a way to make sure this cannot happen. Some ideas:
Any other idea?
The text was updated successfully, but these errors were encountered: