keel icon indicating copy to clipboard operation
keel copied to clipboard

Published 20 hours ago verified publisher icon keel-hq

Feature Request: Allow disabling of Basic Auth for the WebUI

Open bigwheels16 opened this issue 4 years ago • 10 comments
trafficstars

Currently, if you disable Basic Auth for the WebUI, it disables the WebUI. I would like a way to disable the Basic Auth without disabling the WebUI.

My use case: I have a proxy in front of my cluster that handles all of my auth concerns. Having the extra username and password for Keel UI makes it clunky to use since I basically have to email the credentials to everyone who I want to access the WebUI, even though I've already given them permission to the app via the proxy. Or post it in a Slack channel. It's not ideal, to say the least.

Also, if disabling the basic auth disables the WebUI, it should probably be renamed to reflect what it is actually doing. It would have saved me a fair bit of time trying to figure out why the WebUI wasn't working.

bigwheels16 avatar Mar 02 '21 16:03 bigwheels16

Would like this too

agorgl avatar Apr 01 '21 11:04 agorgl

Is this something you'll be able to do? If not, that's fine, but I just need to know.

bigwheels16 avatar Apr 11 '21 08:04 bigwheels16

at the moment there's no bandwidth available but I would gladly accept the contribution!

the code is here https://github.com/keel-hq/keel/blob/master/pkg/http/http.go#L134. You would need to remove that check and also stub out the authentication side on the UI side and potentially approvals as it uses currently logged in user.

rusenask avatar Apr 12 '21 12:04 rusenask

thanks. I'm not very strong with Go but I'll take a look and see if I can make the changes.

bigwheels16 avatar Apr 12 '21 20:04 bigwheels16

@bigwheels16: did you manage to get it ?

I am also interested in this feature: I manage my own BasicAuth from my reverse proxy with several users available.

jbtruffault avatar May 11 '21 13:05 jbtruffault

I would rather prefer not having this feature or a dedicated key-pair for turning the dashboard on/off defaulting to off. I don't want to have anything open with or without passwords on my production servers by default.

If the dashboard defaulted to on without any auth, users would need to spend some time to secure Keel after installation (setting passwords, integrating them into their secrets management and whatever, no thanks). Now, it's really fool-proof, just apply Keel's yaml, add two, three annotations and the thing works buttersmooth and out of the box and is secure for production. Don't even know why you would need a dashboard[1]. You can see Keel in action on something like k9s.

[1] ok, the audit logs/stats would be nice to have but are not a must and the rest is right in your yaml's annotations

205g0 avatar May 12 '21 05:05 205g0

Many times stuff like keel is not directly exposed with an ingress, but are protected by some kind of authenticated endpoint. Still having an option to spin it up without basic auth doesn't mean you cannot configure it to have basic auth if you want.

Also, almost always, making the tool do the job it was designed to do and only that (adhering to the Unix philosophy), is a good idea. It is not keel's job to do authentication, and we shouldn't rely on some primitive base auth functionality for security.

agorgl avatar May 12 '21 09:05 agorgl

@bigwheels16: did you manage to get it ?

I did look at the code but I haven't made any changes yet. Because of how the Auth is done, it's a little bit difficult to see a good way to toggle it on and off in a clean way.

bigwheels16 avatar May 12 '21 13:05 bigwheels16

it's a little bit difficult to see a good way to toggle it on and off in a clean way

@bigwheels16 this is where I agree, just providing username and password turns on the dashboard and vice versa is a bit vague. So, yeah, a clear toggle would be better.

205g0 avatar May 13 '21 03:05 205g0