Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preauthenticated mode #7016

Open
DCTech2k opened this issue Feb 24, 2018 · 5 comments
Open

Preauthenticated mode #7016

DCTech2k opened this issue Feb 24, 2018 · 5 comments
Labels

Comments

@DCTech2k
Copy link

@DCTech2k DCTech2k commented Feb 24, 2018

I just started playing with Metabase and love it!

I see that many users are asking for various authentication plugins/modules (ex: SAML, OpenID, etc.) so why not introduce a Preauthenticated Mode and simply handle the authentication at the reverse proxy (ex: Apache HTTPD) deployed in front of Metabase? This way Metabase will simply accept the username from the reverse proxy (see how Rundeck implemented it) which will handle the authentication. This could in turn add support for SAML (ex: mod_auth_mellon), OpenID (ex: mod_auth_openidc), Kerberos (ex: mod_auth_kerb) and any other authentication protocol outside of Metabase.

This way we can concentrate on building Metabase core features ;)

⬇️ Please click the 👍 reaction instead of leaving a +1 or 👍 comment

@salsakran salsakran added the Security label Feb 27, 2018
@salsakran

This comment has been minimized.

Copy link
Contributor

@salsakran salsakran commented Feb 27, 2018

I think this would be too dangerous for the nature of our application and userbase.

Given our usage footprint, and the relative sophistication of large portions of our install base, this is one configuration mistake away from a completely unsecured instance.

@DCTech2k

This comment has been minimized.

Copy link
Author

@DCTech2k DCTech2k commented Feb 27, 2018

Any authentication method which is misconfigured is a potential security hole. The issue is that it is not practical to implement majority of these very popular authentication protocols (ex: SAML or Kerberos) directly in Metabase as a plugin/module and even if it was possible it would be a nightmare to support. The best option in my mind is to uncouple authentication especially when it comes to these Enterprise level authentication protocols from the app. Look at the Rundeck implementation which in my mind poses even higher security risk if misconfigured as it is a SysOps tool, but it proves that it can be secure.

I'm sure Metabase would spread like a wildfire if these authentication protocols were available one way or another and when it is deployed in Ent. environment I'm sure IT would be involved to get the security & authentication configured correctly.

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Mar 15, 2018

This is not a bad idea. The SSO is offloaded to a reverse proxy and metabase server is configured to accept connections from a limited ips.

@martin-loetzsch

This comment has been minimized.

Copy link

@martin-loetzsch martin-loetzsch commented Oct 23, 2018

I'm also very much in favor for this. There are fantastic projects like https://github.com/bitly/oauth2_proxy (currently in search for a new home) and https://github.com/buzzfeed/sso that decouple authentication from backends and offer many auth providers. As @DCTech2k noticed, this way we can concentrate on building Metabase core features ;).

They would sit in front of Metabase and upon successful authentication append an X_FORWARDED_EMAIL http header to the request. Yes, if you configure that wrongly then your are trouble, but that's the case for all auth mechanisms. We are btw. successfully running multiple Metabase instances behind the Bitly oauth proxy, mainly out of security concerns (we don't want to expose the Metabase login screen to the internet).

@salsakran Would you consider accepting a PR that implements such a header based authentication?

@maudrid

This comment has been minimized.

Copy link

@maudrid maudrid commented Jul 26, 2019

Yes please. all our other services use Pre-authentication.
It's currently a reason why we are undecided on choosing metabase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.