Open nickwilliams-codynamic opened 4 years ago
Those two properties are features of the Alpine framework. They are not currently supported by Dependency-Track.
Is this a defect report? If so, the response is 'works as designed'.
If this is an enhancement request, if so, what is the use case?
I did think it was a defect report, but I must have misunderstood. I had assumed that with these settings set to false, I could access the dependencytrack dashboard anonymously. However with the properties set to false the UI never loads.
# When authentication is enforced, API keys are required for automation, and
# the user interface will prevent anonymous access by prompting for login
# credentials.
If this is indeed working as expected then I guess it is an enhancement request. The use case being:
As a user, I want navigate to dependencytrack.company.com and access the dependency track UI without entering any username or password.
As a system admin, I want the dependency track UI open to anyone with access to the dependencytrack.company.com domain.
In our case, it may well be that we use something like OAUTH2Proxy infront of dependency track to enfore authentication with our SSO solution, but I don't think that is a concern of dependency track.
I have proposed:
I would like to see this feature (anonymous login) as well. The use case is putting dependency track behind an organization-internal OAuth2-proxy instance. I believe this is a widespread use case.
Since an authentication proxy is supposed to set some headers on incoming request, DependencyTrack can infer the user and groups through those headers. It can expose the configurations through properties, for example
dependencytrack.proxyAuth.usernameHeader=X-Username
dependencytrack.proxyAuth.groupsHeader=X-Groups
From the UI side, there would be a section called "Proxy Users", just like today there are Managed, LDAP and OIDC users.
@stevespringett in a related pull request, you mentioned that such a feature requires widespread changes in the API. Can you elaborate on that?
If it's something I can get done, I will be interested to contribute.
The defect may already be reported! Please search for the defect before creating one.
Current Behavior:
When setting the alpine.enforce.authentication and authorization properties to false, the webserver returns a 404 response for all URLs.
Additionally setting the propertise as environment variables seems to have no effect (e.g. ALPINE_ENFORCE_AUTHENTICATION still show the login screen)
Steps to Reproduce:
Set alpine.enforce.authentication to false. Sample docker-compose and properties file below
Expected Behavior:
The depedencytrack dashboard appears with no login screen prompted
Environment:
Additional Details:
docker-compose.yaml:
NOTE: Use all other default properties from https://docs.dependencytrack.org/getting-started/configuration/ props/application.properties