Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Informaiton Leakage #2282

Open
nevercodecorrect opened this issue Feb 29, 2024 · 1 comment
Open

Potential Informaiton Leakage #2282

nevercodecorrect opened this issue Feb 29, 2024 · 1 comment
Labels
area: integration/keycloak area: security 🔐

Comments

@nevercodecorrect
Copy link

Context

In code, username and password is directly printed. It is a potential informaiton leakage issue as described in CWE-532

Value and/or benefit

Removing password could reduce the attack surface

Anything else?

No response
@nevercodecorrect nevercodecorrect added the needs: triage 🚦 Someone needs to have a look at this issue and triage label Feb 29, 2024
@viniciusdc
Copy link
Contributor

viniciusdc commented Mar 1, 2024
edited

Hi @nevercodecorrect, this information comes from the basic default values of Keycloak's root settings during initial setup as a temporary password -- which is later passed into the schema here:

nebari/src/_nebari/stages/kubernetes_keycloak/__init__.py

Lines 219 to 229 in 5463e8d

def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
return InputVars(
name=self.config.project_name,
environment=self.config.namespace,
endpoint=stage_outputs["stages/04-kubernetes-ingress"]["domain"],
initial_root_password=self.config.security.keycloak.initial_root_password,
overrides=[json.dumps(self.config.security.keycloak.overrides)],
node_group=stage_outputs["stages/02-infrastructure"]["node_selectors"][
"general"
],
).dict()

This admin credential is generated for the first interaction with the master realm on Keycloak for admin usage. Its is outlined in our docs that you should change this password after the first deployment (here)

That said, I agree that exposing the keycloak's root password is a potential risk, even though it's temporary. We could initialize those values into a separate text file in the user host environment or set relatable env vars that contain the expected values, such as NEBARI_KEYCLOAK_INITIAL_ROOT_PASSWORD

@marcelovilla marcelovilla added area: security 🔐 area: integration/keycloak and removed needs: triage 🚦 Someone needs to have a look at this issue and triage labels May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: integration/keycloak area: security 🔐
Projects
🪴 Nebari Project Management
Status: New 🚦
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nevercodecorrect @marcelovilla @viniciusdc