Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Security config handling means either API/Dashboard-created Users are deleted or you're stuck with default admin credentials #839

Open
dmantas opened this issue Jun 7, 2024 · 2 comments
Open

[BUG] Security config handling means either API/Dashboard-created Users are deleted or you're stuck with default admin credentials #839

dmantas opened this issue Jun 7, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@dmantas
Copy link

dmantas commented Jun 7, 2024

What is the bug?

The way security config is implemented leads to an undesired dilemma in case you want to manage users on the OS platform via OS Dashboards or the API.

The fact that both internal users and security config are in the same secret means that the management of both is interconnected.

The implementation of this PR improved things, but did not solve the issue.

How can one reproduce the bug?

You basically have 2 options:

  1. In security config internal_users.yml you define admin user with a custom password plus your security config under config.yml. You then create other users in OS using e.g. OS Dashboards or the OS API. If you need to make a change in config.yml, the Operator will detect this and run the security admin job, which will also overwrite your users, because in security config the internal_users.yml file is present.
  2. In security config you only define config.yml. This means that admin user will have the default (admin) password. You then create other users using Dashboards or the API. If you need to make a change in config.yml then, because internal_users.yml is not defined in security config, the users you have created will remain in place. But this means that you're stuck with default admin credentials forever which is a security issue.

What is the expected behavior?

I see there are two options:

  1. Separate config.yml with users/roles/etc configuration. Changes in config.yml should only trigger this part of the config to be changed and not touch users/roles/etc.
  2. Create more complex default password for admin user like requested here. You're again stuck with it (i.e. if you try to change this you will overwrite your users), but at least it will not be admin/admin.

Thank you in advance.
@dmantas dmantas added bug Something isn't working untriaged Issues that have not yet been triaged labels Jun 7, 2024
@prudhvigodithi
Copy link
Member

[Triage]
Adding @saketmht and @swoehrl-mw to please help @dmantas here.
Thank you
@salyh @pchmielnik @jochenkressin

@prudhvigodithi prudhvigodithi removed the untriaged Issues that have not yet been triaged label Jun 24, 2024
@swoehrl-mw
Copy link
Collaborator

Hi @dmantas. This is currently a limitation of the operator that are discussed in several issues: #571, #254, #221.
Right now you can only use either securityconfig or CRDs for user management.

@swoehrl-mw swoehrl-mw added enhancement New feature or request and removed bug Something isn't working labels Jul 2, 2024
@getsaurabh02 getsaurabh02 moved this from 🆕 New to Backlog in Engineering Effectiveness Board Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Engineering Effectiveness Board
Status: 📦 Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmantas @swoehrl-mw @prudhvigodithi