Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cluster Api security #125

Merged
merged 3 commits into from
Oct 31, 2022
Merged

Cluster Api security #125

merged 3 commits into from
Oct 31, 2022

Conversation

muralibasani
Copy link
Contributor

About this change - What it does

Connects to Klaw ClusterApi with a jwt token
getServerConfig security issue fixed. normal users should not get any server configuration
Actuator endpoints to show fewer than wildcard
Resolves:
Why this way : token based authentication is better. getServerconfig restriction based on role.

@muralibasani muralibasani changed the title token based authentication for cluster api, restrict access to server… Cluster Api security Oct 20, 2022
pom.xml Outdated Show resolved Hide resolved

ServerConfigProperties props = new ServerConfigProperties();
props.setKey(key);
if (key.contains("password") || key.contains("license")) {
if (key.contains("password")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm not mistaken String.contains is case sensitive. Depending on what is returned for "key", should that be considered here?

Copy link
Contributor Author

@muralibasani muralibasani Oct 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@reethi-kotti-aiven Yes, but it may not be considered here. All the keys are already lower case now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw, thank you for the review.

@muralibasani muralibasani requested review from a team as code owners October 24, 2022 08:12
Copy link
Contributor

@snuyanzin snuyanzin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from my side
I left a minor comment

pom.xml Outdated Show resolved Hide resolved
@reta
Copy link

reta commented Oct 24, 2022

@muralibasani super curious, since you are using Spring Boot, why not to onboard Spring Security for JWT (https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html)?

@muralibasani
Copy link
Contributor Author

@muralibasani super curious, since you are using Spring Boot, why not to onboard Spring Security for JWT (https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html)?

@reta this introduces another component 'Authorization/Resource server' to issue tokens. In this PR, trying to keep it simple.

@muralibasani muralibasani merged commit 22b9783 into main Oct 31, 2022
@muralibasani muralibasani deleted the clusterapi-security branch October 31, 2022 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants