Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Add authorization to all functions in ReportServer #8074

Closed
difince opened this issue Jul 27, 2022 · 8 comments
Closed

[feature] Add authorization to all functions in ReportServer #8074

difince opened this issue Jul 27, 2022 · 8 comments
Assignees
@chensun @difince
Labels
kind/feature

Comments

@difince
Copy link
Member

difince commented Jul 27, 2022

Feature Area

There are two API-server endpoints that still miss authorization - ReportWorkflow and ReportScheduledWorkflow. This is a security issue. Each endpoint should validate that the user has permission to call them.

persistent-agent service calls these endpoints. Once authorization is enabled, the persistent-agent need to authorize itself by providing user information in the request headers.

This issue is a related/ follow-up issue to PR #7819

/area backend

What feature would you like to see?

What is the use case or pain point?

Is there a workaround currently?

no. A security issue exists in the current implementation.

Love this idea? Give it a 👍.
@difince
Copy link
Member Author

difince commented Jul 27, 2022

cc: @juliusvonkohout

@difince
Copy link
Member Author

difince commented Jul 27, 2022

/assign @difince

@juliusvonkohout
Copy link
Member

For the next KFP meeting ;-)

@zijianjoy
Copy link
Collaborator

Hello @difince , the ReportWorkflow and ReportScheduledWorkflow are used by single persistent-agent instance for monitoring the status of workflow. persistent-agent itself cannot and shouldn't authenticate as a user.
/assign @chensun

@difince
Copy link
Member Author

difince commented Jul 29, 2022
edited
Loading

Thank you @zijianjoy for your feedback. How services are supposed to authenticate themself then? Any suggestion?
I guess this reflects on the implementation of #7819 as well ?

@juliusvonkohout
Copy link
Member

Hello @difince , the ReportWorkflow and ReportScheduledWorkflow are used by single persistent-agent instance for monitoring the status of workflow. persistent-agent itself cannot and shouldn't authenticate as a user. /assign @chensun

By default every kubeflow user can hijack them, since these endpoints are unauthenticated. So first they need ANY kind of authentication.

@juliusvonkohout
Copy link
Member

Thank you @zijianjoy for your feedback. How services are supposed to authenticate themself then? Any suggestion? I guess this reflects on the implementation of #7819 as well ?

@chensun (@zijianjoy college at google) already approved #7819 so i do not think that it is affected. Readartifact etc. is really called by users for a proper reason. Reportworkflow might only be abused for no reason.

@difince difince mentioned this issue Jul 3, 2023
Merged
1 task
@juliusvonkohout juliusvonkohout mentioned this issue Aug 17, 2023
Open
@difince
Copy link
Member Author

difince commented Aug 17, 2023

Fixed by #9699
The persistence agent authenticates itself via a service account token, meanwhile, the pipeline API server has enabled authentication and authorization logic.

@difince difince closed this as completed Aug 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chensun chensun

@difince difince

Labels
kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chensun @difince @zijianjoy @juliusvonkohout