Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Safer dummy auth plugin #146

Open
mgaonach opened this issue Apr 26, 2022 · 1 comment
Open

Safer dummy auth plugin #146

mgaonach opened this issue Apr 26, 2022 · 1 comment
Labels

Comments

@mgaonach
Copy link
Collaborator

The dummy auth plugin allows to impersonate any user and to get any permission, which is very useful for dev and test.
But if this plugin ends up enabled in a production environment by mistake, it would be a big security issue.

We should find a way to make sure this cannot happen. Some ideas:

  • Ideally, find some way to make it impossible to enable it in production
  • Otherwise, add a safety layer (ask for confirmation when enabled at startup?)

Any other idea?

@antolinos
Copy link
Collaborator

I wonder if it should made a little bit less dummy.

An authentication that reads the users/password/groups from files file, like e.d: wildfly does, could be a good starting point and useful for testing. It makes a basic protection because you still need a username and a password that is configured in your server.

I have seen warnings when starting different services/apps if a configuration parameter is not expected in production but I might not want to stop the process (just in case a health-check mechanism is in place). If the dummy-auth is enabled it can be warned.

Nevertheless, with or without dummies, my opinion is that the deployment has to be done carefully and with no mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants