[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [che-dev] Single user mode broken
|
Well, the only secure interface/IP address is 127.0.0.1, so not sure what value SECURE_NETWORK_INTERFACE would bring.
What we're trying to achieve IMHO is to be secure by default on multiuser and have a workaround/workable solution for singleuser. I favor option 2, because that enables a single approach that will work on both deployment scenarios, but that requires a good amount of work unfortunately. Option 3 is a workaround to make the current codebase work in an unsecure mannner (which is not a problem on single user).
On Monday, February 17, 2020, Serhii Leshchenko <
sleshche@xxxxxxxxxx> wrote:
> 4. Make Che Server propagate the recommended network interface to listen by secure servers.
> Then Che Machine exec and Theia would be able to it on startup, like
> Terminal: command: ['/go/bin/che-machine-exec', '--static', '/cloud-shell', '--url', '${SECURE_NETWORK_INTERFACE}:4444']
> Theia: - name: THEIA_HOST
> value: ${SECURE_NETWORK_INTERFACE}
> Not sure if I use right wording and if it's technically possible to implement but if yes - then it's easy seems easy to implement.
> On Mon, Feb 17, 2020 at 4:23 PM Lukas Krejci <
lkrejci@xxxxxxxxxx> wrote:
>>
>> Hi all,
>>
>> While implementing
https://github.com/eclipse/che/issues/15651, i.e. securing Theia and che-machine-exec, I managed to completely break single user mode.
>>
>> The reason for that is that to properly secure these two plugins, it is necessary that they only listen only on localhost and the connection from outside is proxied by jwt proxy.
>>
>> This unfortunately breaks single user mode that doesn't make any provisions for servers that are inaccessible from outside.
>>
>> I personally completely forgot about single user mode, which is the default only in helm-based deployments. Unfortunately our testsuite didn't catch my omission either as it doesn't cover starting a workspace in single user mode.
>>
>> There is a couple of possible solutions to the problem.
>>
>> 1) Reverting
https://github.com/eclipse/che-plugin-registry/pull/378 which would make che-machine-exec and che-theia listen on 0.0.0.0. This makes them vulnerable to cross-pod/namespace unauthenticated access though.
>>
>> 2) Implement and deploy a passthrough proxy that would play the role of jwt proxy in single user mode. This requires change in che-server and finding/implementing the passthrough proxy.
>>
>> 3) Somehow enable "switching" versions of the che-theia and che-machine-exec. This could be done for example by "forking" plugin registry and provide a "single user friendly" versions of the plugins in the fork. Users requiring single user mode could deploy this alternative version of plugin registry.
>>
>> Sorry for the complications and hope to find a quick and workable solution.
>>
>> Thanks,
>>
>> Lukas
>> _______________________________________________
>> che-dev mailing list
>>
che-dev@xxxxxxxxxxx>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>>
https://www.eclipse.org/mailman/listinfo/che-dev>
>
> --
>
> Serhii Leshchenko
>
> SENIOR SOFTWARE ENGINEER
>
> Red Hat
>
> <
https://ci3.googleusercontent.com/proxy/SRtxaj0z5-7S17wFKMuJKJbm6x1V1DxYyADAB9Xe-pgY9EgCnH3HJNDnKEM7H_Y8wTRAJ3J-As9u1h-rbKo6fgBQYGZZtqAtEF0=s0-d-e1-ft#https://www.redhat.com/files/brand/email/sig-redhat.png>
