Che: Dashboard must not send keycloak token to plugin and devfile registries
Describe the bug
Plugin and Devfile registries are designed as free services that do not require any authentication.
Sending Che Keycloak tokens to them are non-necessary and potentially not a safe thing to do.
Dashboard must not send keycloak token to plugin and devfile registries
Che version
- [ ] latest
- [x] nightly
- [ ] other: please specify
Steps to reproduce
- Open Development Tools in browser.
- Open Che Dashboard.
- Check requests to plugin and devfile registries.
Expected behavior
Keycloak token is not sent to them.
sleshchenko
👍3
All 3 comments
shouldn't it be an option ? if a team is using che in a public cloud and would like to have registry private ?
@slemeur @l0rd
sunix
on 19 Nov 2019
maybe devfile and plugin registry should be secured
sunix
on 19 Nov 2019
@sunix I would distinct two issues here:
- Che Server token must not be sent to plugin/devfile registries.
- Add an ability to configure plugin/devfile registries as secure (should we use keycloak token for that or another one - it's implementation details). It may seem easy to solve but if we take into account that users may want to use different registries (some maybe not secured by the same Keycloak as is used for Che Server) and Che Server should be able to access all of them(maybe it should be reworked and client should provide everything downloaded) then it does not seem so easy to solve and IMHO it should be solved separately, if we need it.
sleshchenko
on 19 Nov 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings
Related issues
AndrienkoAleksandr
路
3Comments
LaneGeek
路
3Comments
sleshchenko
路
3Comments
apupier
路
3Comments
sleshchenko
路
3Comments
Most helpful comment
@sunix I would distinct two issues here: