-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rip out basic auth #1621
Labels
Comments
This was referenced Mar 17, 2017
sgtm. It would be useful if we can point to an example setup for nginx
proxy.
…On Fri, Mar 17, 2017 at 2:38 PM, Tim St. Clair ***@***.***> wrote:
cAdvisors authentication is not implemented correctly, and in it's current
state is worse than no auth (can give a false sense of security). The
obvious problem is that only some of the endpoints are actually
authenticated, but the same information can be accessed from an
unauthenticated endpoint. There are also issues with error handling, and
possible non-enforcement issues (#1554
<#1554>).
I think we should just remove auth entirely for now. Users who require
auth can set it up using an nginx proxy.
/cc @vishh <https://github.com/vishh> @dashpole
<https://github.com/dashpole>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1621>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AGvIKDkqKH00R2UxFXfIg_PPOM0oWVxjks5rmv1QgaJpZM4MhITQ>
.
|
is this still current and correct information? if so, this part should probably also be removed from the docs? https://github.com/google/cadvisor/blob/master/docs/web.md#web-ui-authentication |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cAdvisors authentication is not implemented correctly, and in it's current state is worse than no auth (can give a false sense of security). The obvious problem is that only some of the endpoints are actually authenticated, but the same information can be accessed from an unauthenticated endpoint. There are also issues with error handling, and possible non-enforcement issues (#1554).
I think we should just remove auth entirely for now. Users who require auth can set it up using an nginx proxy.
/cc @vishh @dashpole
The text was updated successfully, but these errors were encountered: