Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Research: implement authentication recommendations #793

Open
alexellis opened this issue Jul 29, 2018 · 3 comments
Open

Research: implement authentication recommendations #793

alexellis opened this issue Jul 29, 2018 · 3 comments
Labels
design/review enhancement help wanted

Comments

@alexellis
Copy link
Member

alexellis commented Jul 29, 2018
edited
Loading

The IETF provides some guidance on implementing OAuth 2.0. Whilst basic auth (used for the gateway administrative endpoints) is less sophisticated than OAuth 2.0, but there are some improvements we could make to the current model.

Brute-force mitigation

The implementation of basic-auth authentication for the Gateway can be enhanced to migrate brute-force / dictionary attacks by locking out the given user after too many incorrect login attempts.

https://tools.ietf.org/html/rfc6819#section-5.1.4.2.3

Perhaps this could be done by reading Prometheus metrics - i.e. failed attempts over last 30 seconds and then create a configmap or allow the gateway to self-lock. This may even automatically expire.

Clear-text storage of passwords

Kubernetes (and possibly Swarm) appears to store credentials in plain-text, or makes them available in plain-text at runtime.

It's recommended to hash these.

https://tools.ietf.org/html/rfc6819#section-5.1.4.1.3

Policy for passwords

The authorization server may decide to enforce a complex user
password policy in order to increase the user passwords' entropy to
hinder online password attacks.

This seems like something we should absolutely do to protect the people that set admin/admin for their credentials and then expose the gateway endpoint on the public Internet. Since the credentials are created out of brand, the gateway could refuse to start if the credentials are weak in length/complexity.

https://tools.ietf.org/html/rfc6819#section-5.1.4.2.1

Other areas

There are several other recommendations which we could implement with little effort.

Multi-user / auditing

If we enable multi-users for basic auth then we can also use that username in logging/auditing.

Start here

Help wanted in starting to suggest and implement improvements. The basic auth package is within the faas repo. https://github.com/openfaas/faas/blob/master/gateway/handlers/basic_auth.go https://github.com/openfaas/faas/blob/master/gateway/handlers/basic_auth_test.go
@stefanprodan
Copy link
Contributor

One option would be to use https://github.com/bitly/oauth2_proxy with Nginx or Envoy in front of the Gateway

@stefanprodan
Copy link
Contributor

Another option would be to use the basic-auth secret and store key-value pairs in there with user:password. An admin could add, remove and change users/passwords with kubectl.

@alexellis
Copy link
Member Author

That's an interesting suggestion for a full OAuth implementation, which I think we should also track via another issue.

@alexellis alexellis mentioned this issue Apr 27, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design/review enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanprodan @alexellis