Authentik is documented to not require the public schema, but offers no documentation on how to customize. I've created schema authentik for user authentik, which is highest priority in the default search path. I see that Authentik honors this to a point during startup, but ultimately fails while attempting to create a table in public.
To Reproduce
Steps to reproduce the behavior:
Start with fresh PostgreSQL instance and Authentik install
Create role and schema, revoke public access
create role authentik;
create schema authentik AUTHORIZATION authentik;
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Start Authentik using the authentik user for Postgres connections
Expected behavior
Following the above example, Authentik is expected to use the authentik schema for all objects as it is first in the search path.
Screenshots
If applicable, add screenshots to help explain your problem.
Logs
Output of docker-compose logs or kubectl logs respectively
It should be made possible to override public to a different schema name, if not for security concerns alone (see CVE-2018-1058) then for compliance reasons.
Postgres 15 and above does not provide access to the public schema by default in order to address this concern and CVE-2018-1058. In security-conscious environments and those that are required to adhere to NIST benchmarks, Authentik would be expected to use a schema other than public (see CIS PostgreSQL 16 Benchmark 1.0.0 Checklist, latest available Nov. 2024).
To quote directly from the linked CIS Benchmark Checklist:
Rationale:
Excessive DML grants can lead to unprivileged users changing or deleting information without proper authorization.
...
For versions of PostgreSQL prior to version 15, CVE-2018-1058 is applicable and it is recommended that all privileges be revoked from the public schema for all users on all databases. If you have upgraded from one of these earlier releases, this CVE is not fixed for you during an upgrade. You can correct this CVE by issuing:
postgres=# REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE
This creates compliance hurdles for any entity that handles U.S Government contracts, due to Authentik's inability to fully satisfy the CIS Benchmark.
Please consider adding a configuration point such as AUTHENTIK_POSTGRESQL__SCHEMA to enable the use of alternate schemas, or honor the default search path for object creation and reference.
Describe the bug Reopen of #9212
Authentik is documented to not require the public schema, but offers no documentation on how to customize. I've created schema
authentik
for userauthentik
, which is highest priority in the default search path. I see that Authentik honors this to a point during startup, but ultimately fails while attempting to create a table inpublic
.To Reproduce Steps to reproduce the behavior:
Expected behavior Following the above example, Authentik is expected to use the
authentik
schema for all objects as it is first in the search path.Screenshots If applicable, add screenshots to help explain your problem.
Logs Output of docker-compose logs or kubectl logs respectively
Version and Deployment (please complete the following information):
Additional context
Mirroring from #9212:
It should be made possible to override public to a different schema name, if not for security concerns alone (see
CVE-2018-1058
) then for compliance reasons.Postgres 15 and above does not provide access to the public schema by default in order to address this concern and CVE-2018-1058. In security-conscious environments and those that are required to adhere to NIST benchmarks, Authentik would be expected to use a schema other than public (see CIS PostgreSQL 16 Benchmark 1.0.0 Checklist, latest available Nov. 2024).
To quote directly from the linked CIS Benchmark Checklist:
This creates compliance hurdles for any entity that handles U.S Government contracts, due to Authentik's inability to fully satisfy the CIS Benchmark.
Please consider adding a configuration point such as
AUTHENTIK_POSTGRESQL__SCHEMA
to enable the use of alternate schemas, or honor the default search path for object creation and reference.