| Re: [che-dev] Single user mode broken |
Note that reverting the plugins to listen on all interfaces means that crw would be vulnerable to the possible cross-namespace access.
On Monday, February 17, 2020, Mario Loriedo <mario.loriedo@xxxxxxxxx> wrote:
> I like 4) as a workaround if that's easy to implement. But I like 2) more because it seams right having the switch at the proxy level rather then at the plugins level. Plugins should be single/multi-user agnostic as much as possible.
>
> Anyway for 7.9, if 2) and 4) are not likely to be implemented for the release (tomorrow!) let's just go with 1) and release the fix as a patch so that CRW 2.1 gets it (and by the way 2.1 is not really affected by this regression since single user is not supported).
> On Mon, Feb 17, 2020 at 3:37 PM Serhii Leshchenko <sleshche@xxxxxxxxxx> wrote:
>>
>> 4. Make Che Server propagate the recommended network interface to listen by secure servers.
>> Then Che Machine exec and Theia would be able to it on startup, like
>> Terminal: command: ['/go/bin/che-machine-exec', '--static', '/cloud-shell', '--url', '${SECURE_NETWORK_INTERFACE}:4444']
>> Theia: - name: THEIA_HOST
>> value: ${SECURE_NETWORK_INTERFACE}
>> Not sure if I use right wording and if it's technically possible to implement but if yes - then it's easy seems easy to implement.
>> On Mon, Feb 17, 2020 at 4:23 PM Lukas Krejci <lkrejci@xxxxxxxxxx> wrote:
>>>
>>> Hi all,
>>>
>>> While implementing https://github.com/eclipse/che/issues/15651, i.e. securing Theia and che-machine-exec, I managed to completely break single user mode.
>>>
>>> The reason for that is that to properly secure these two plugins, it is necessary that they only listen only on localhost and the connection from outside is proxied by jwt proxy.
>>>
>>> This unfortunately breaks single user mode that doesn't make any provisions for servers that are inaccessible from outside.
>>>
>>> I personally completely forgot about single user mode, which is the default only in helm-based deployments. Unfortunately our testsuite didn't catch my omission either as it doesn't cover starting a workspace in single user mode.
>>>
>>> There is a couple of possible solutions to the problem.
>>>
>>> 1) Reverting https://github.com/eclipse/che-plugin-registry/pull/378 which would make che-machine-exec and che-theia listen on 0.0.0.0. This makes them vulnerable to cross-pod/namespace unauthenticated access though.
>>>
>>> 2) Implement and deploy a passthrough proxy that would play the role of jwt proxy in single user mode. This requires change in che-server and finding/implementing the passthrough proxy.
>>>
>>> 3) Somehow enable "switching" versions of the che-theia and che-machine-exec. This could be done for example by "forking" plugin registry and provide a "single user friendly" versions of the plugins in the fork. Users requiring single user mode could deploy this alternative version of plugin registry.
>>>
>>> Sorry for the complications and hope to find a quick and workable solution.
>>>
>>> Thanks,
>>>
>>> Lukas
>>> _______________________________________________
>>> che-dev mailing list
>>> che-dev@xxxxxxxxxxx
>>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>>> https://www.eclipse.org/mailman/listinfo/che-dev
>>
>>
>> --
>>
>> Serhii Leshchenko
>>
>> SENIOR SOFTWARE ENGINEER
>>
>> Red Hat
>>
>> <https://ci3.googleusercontent.com/proxy/SRtxaj0z5-7S17wFKMuJKJbm6x1V1DxYyADAB9Xe-pgY9EgCnH3HJNDnKEM7H_Y8wTRAJ3J-As9u1h-rbKo6fgBQYGZZtqAtEF0=s0-d-e1-ft#https://www.redhat.com/files/brand/email/sig-redhat.png>
>> _______________________________________________
>> che-dev mailing list
>> che-dev@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/che-dev
> _______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/che-dev