Research: always-on/generated token for UI and API #349
Comments
|
Ideas? @chanezon @chanwit @Lewiscowles1986 + Joe Beda. This would be at the API gateway level - so agnostic to the scheduler so it can work with Swarm, K8s and other back-ends. We could have a user create a secret or token (using the orchestrator) ahead of time then fetch that back before accessing the cluster. |
|
I can generate a secure'ish random string and sed it in as part of setup. I can also generate two for basic-auth and feel I have a good handle on wrangling basic-auth into the gateway services with a middleware. For the record I don't like the idea. What happens if someone insists they need kerberos next, or doesn't like having a single set of auth credentials? Perhaps we could instead add to tutorials a kong setup. I've never used Kong and would enjoy the opportunity to play, get feedback which feeds value in both directions. That way it's not part of FaaS, but is part of stock scripts. Btw I'm equally as happy for someone else to handle |
|
It needs to be a one click deployment. We like Kong but it needs a multi stage manual setup. Suggestions welcome |
|
Derek close: fixed with basic auth in GW |
It's very hard to automate security out of the box for an API/UI because this generally involves:
We should force always-on/generated auth for the UI and API via basic auth or a token, so that if someone does deploy in production (without reading the best practice guide) they are not wide open to vulnerabilities.
The text was updated successfully, but these errors were encountered: