-
Notifications
You must be signed in to change notification settings - Fork 617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic authentication on routes #166
Comments
Or how about fetching the basic auth credentials from Vault? Seems like a sensible place to put 'em. |
or authenticate against vault auth directly. Then you can get LDAP or user/pass/etc auth "for free" as it were, without having to bring in all the LDAP libs directly into fabio. Bonus would be getting assigned vault policies to decide if they have access or not. |
@csawyerYumaed That sounds like an interesting idea. |
+1 for some sort of auth on routes, i really like the vault integration idea! |
So out of curiosity how do you see this working? vault that would take a method and raw kv arguments...
http basic auth...
http digest auth...
digest and basic...
Seem reasonable? Just trying to think how this could be implemented. Would it try the definitions in order with fall-through? First match wins? |
The reason I'm asking ... I could see this being an expansion to the ACL support that was recently added. |
@leprechau Yeah i think something along the lines of:
Thinking the Vault token should probably be stored in the Fabio config instead of the route tags. Also probably makes sense for basic auth to store the local path of the htpasswd file in the Fabio config? Just brainstorming here. |
I was thinking that Maybe it could be: Example for github to keep config short: That would make the order of the options relevant but I think that would be okay as you would always need a method and path. The prefix |
I'm not sure I like the fact that the password is stored in clear in the route tags. This is stored in consul and can be accessed via the api. Storing secrets feels like abusing the tags a bit too much. Also, this has to be deployed which means it has to be in some config file. Secrets management is hard. That's why Vault exists. I'm not saying that we shouldn't offer basic auth but keeping the passwords out of the route tags would be helpful IMO. |
I agree with @magiconair Sort of what i envisioned was the following (taking after the existing Config - /etc/fabio/fabio.conf
Service Definition - /etc/consul/myapp.json
I haven't decided yet if the auth reference should be on the route tag, or in the config file. My only concern with having it on the route tag is: what if multiple instances of a service have conflicting auth references? |
@nmaludy Then your deployment is broken just as if you'd have different services announcing the same route. I don't think there is much you can do about this. I might see a legit use case in migrating between auth sources as long as the underlying databases are in sync. |
@magiconair That's a very good point! Like you said the application deployment should be consistent via a Config Management tool or identical settings in your docker image(s). Also, your point about migrating to a different auth source is an interesting use case. |
I agree secrets are hard, but I can’t think of a great way to offer basic auth without vault. You could reference an htpasswd file stored in consul? That’s better than password in the route. |
I also think it would be nice to add auth without needing to restart fabio. If you only define the auth sources in the config you can’t dynamically add auth to a route without restarting fabio. Allowing a |
I'm ok with what @leprechau is saying:
But it would be super awesome if we could also say this vaultRole(which is returned as part of the token JSON after auth) can access or not.
So in this example you must have either roleName1 or roleName2 (as defined in vault) AND properly authenticate to get passed on. |
Basic support for a consul stored htpasswd/htdigest file would be very nice and a good simplification before LDAP/Vault support. |
#573 implements some form of authentication so lets close this and have requests for other auth mechanisms in separate issues. |
Hello |
In Operations we often have to deal with Basic auth protected sites. The fabio-ui (#25) itself or announced routes for Nomad, Consul UI etc should be protected. The way we have to deal with that right now is setting up separate clusters consisting of:
It would be (more than) nice to be able to announce in the route itself that the resource should be protected with auth-type=ldap to perform Basic Auth. This saves us from a lot of configuration headaches and wasting resources on separating fabio instances and proxies and creating more VIPs to point to the correct clusters.
The text was updated successfully, but these errors were encountered: