alexjfisher
commented
5 years ago What problem are we trying to solve? eg. Will this allow for multiple users?
Closed dhollinger closed 5 years ago
alexjfisher
commented
5 years ago What problem are we trying to solve? eg. Will this allow for multiple users?
alexjfisher
commented
5 years ago What are the drawbacks? The bitbucket hook plugin that I use won't let me specify arbitrary headers. I currently put the username/password in the URL field.
dhollinger
commented
5 years ago @alexjfisher This solves an issue with security. Due to the nature of how r10k works, puppet_webhook needs full root access to execute r10k in any form. Currently the user/pass setup is transmitted in plain text, allowing a user with base64 to decode the user/pass from the auth header. This is the first step in removing that ability. Additionally, API tokens are the standard for API auth rather than user/pass.
For SSL going forward, we are planning on requiring users to use an nginx frontend due to some SSL related bugs in Rack/Puma that aren't getting fixed.
alexjfisher
commented
5 years ago Can we keep the ability to use simple username and password but default to API tokens?
alexjfisher
commented
5 years ago I suppose as long as I can still disable auth all together, I can do basic auth with ssl in nginx.
TODO:
AuthenticationControllerwith FactoryBot.