Impact
When lakeFS is configured with ALL of the following:
- Configuration option
auth.encrypt.secret_key
passed through environment variable
- Actions enabled via configuration option
actions.enabled
(default enabled)
then a user who can configure an action can impersonate any other user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
ANY ONE of these is sufficient to prevent the issue:
-
Do not pass auth.encrypt.secret_key
through an environment variable.
For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
-
Disable actions.
-
Limit users allowed to configure actions.
References
Are there any links users can visit to find out more?
Impact
When lakeFS is configured with ALL of the following:
auth.encrypt.secret_key
passed through environment variableactions.enabled
(default enabled)then a user who can configure an action can impersonate any other user.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
ANY ONE of these is sufficient to prevent the issue:
Do not pass
auth.encrypt.secret_key
through an environment variable.For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.
Disable actions.
Limit users allowed to configure actions.
References
Are there any links users can visit to find out more?