nebari icon indicating copy to clipboard operation
nebari copied to clipboard
verified publisher icon nebari-dev

[BUG] - conda-store allows environments to be created by unauthenticated users

Open benjaminleighton opened this issue 3 years ago • 2 comments

OS system and architecture in which you are running QHub

4.0.0post1

Expected behavior

The https://conda-store.readthedocs.io/en/latest/user_guide.html#create-create-environment documentation states that users authenticated or unauthenticated can create environments. I'd expect there to be some authentication required for environment creation. Is there a risk of injection or dos attacks otherwise?

Actual behavior

By default qhub deploys my.domain/conda-store and allows public creation of conda environments

How to Reproduce the problem?

Deploy a qhub environment and attempt to create an environment at my.domain/conda-store

Command output

No response

Versions and dependencies used.

No response

Compute environment

No response

Integrations

No response

Anything else?

No response

benjaminleighton avatar Apr 29 '22 10:04 benjaminleighton

Hey @benjaminleighton thanks for the issue!

The https://conda-store.readthedocs.io/en/latest/user_guide.html#create-create-environment documentation states that users authenticated or unauthenticated can create environments. I'd expect there to be some authentication required for environment creation. Is there a risk of injection or dos attacks otherwise?

Conda store has rbac based authorization model see https://conda-store.readthedocs.io/en/latest/contributing.html#authorization-model. The way we have conda store configured in qhub and by default is that users only have access to the see/read the default and filesystem namespaces https://github.com/Quansight/conda-store/blob/main/conda-store-server/conda_store_server/server/auth.py#L77-L91.

You do make a good point that this should be clearer in the documentation and I will leave this issue open until this is documented. Conda-Store does have the capability to make unauthenticated users have the permissions to create/edit/delete envirionments but this is not the default behavior.

This is how qhub currently sets conda-store permissions https://github.com/Quansight/qhub/blob/main/qhub/template/stages/07-kubernetes-services/modules/kubernetes/services/conda-store/config/conda_store_config.py#L78-L100. By default unauthentication can only read the default and filesystem namespace. When authentication a user has different permissions based on if they are a viewer, developer, or admin. Additionally they have permissions to their username namespace and any groups that they are a member of in keycloak.

If unauthenticated users are ever able to edit environments I certainly consider this to be a serious bug that needs to be resolved.

costrouc avatar Apr 29 '22 14:04 costrouc

I also made some fixes to Conda-Store which fixed some authentication issues. So I've created an issue that we need to bump to the latest conda-store version https://github.com/Quansight/qhub/issues/1263.

costrouc avatar Apr 29 '22 15:04 costrouc

I will be closing this as per @costrouc comments we addressed all related authentication issues. Only authenticated users may create or edit conda-store environments. @benjaminleighton feel free to open a new issue if the behavior above persists.

viniciusdc avatar Oct 04 '22 15:10 viniciusdc