spinnaker icon indicating copy to clipboard operation
spinnaker copied to clipboard
verified publisher icon spinnaker

Gate and Fiat should use the same `anonymous` username

Open jvz opened this issue 2 years ago • 1 comments

Issue Summary:

Gate is configured to use an anonymous principal with the username anonymous, but Fiat is configured to use the default Spring Security settings which uses an anonymous principal of the string anonymousUser.

Feature Area:

Security

Description:

In Gate, AnonymousConfig configures anonymous authentication with the username anonymous. Every other services uses FiatAuthenticationConfig (from fiat-api) which configures anonymous authentication using the default Spring Security settings which uses a principal of anonymousUser (just the string, not wrapped in a UserDetails object or similar). Any code that relies on getting the authenticated username in a request directly from the Authentication object will get a different anonymous username than expected compared to using AuthenticatedRequest.getSpinnakerUser().orElse("anonymous"), the common idiom (which is being simplified in https://github.com/spinnaker/kork/pull/1138).

This can cause problems in permission check code which tries to look up permissions for anonymousUser rather than anonymous which can lead to failed pipeline executions (e.g., those invoked via an unauthenticated web hook) where unrestricted permissions are not respected. This issue originally came up in code where I refactored various ways of getting the current user id to make use of SpinnakerUsers::getCurrentUserId and SpinnakerUsers::getUserId, but an unauthenticated web hook trigger to Gate made an anonymous request to Echo which led to a pipeline being invoked with the username anonymousUser who did not have permission to do jack shit.

jvz avatar Dec 20 '23 18:12 jvz

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

spinnakerbot avatar Feb 03 '24 18:02 spinnakerbot

This issue is tagged as 'stale' and hasn't been updated in 45 days, so we are tagging it as 'to-be-closed'. It will be closed in 45 days unless updates are made. If you want to remove this label, comment:

@spinnakerbot remove-label to-be-closed

spinnakerbot avatar Mar 19 '24 18:03 spinnakerbot

This issue is tagged as 'to-be-closed' and hasn't been updated in 45 days, so we are closing it. You can always reopen this issue if needed.

spinnakerbot avatar May 03 '24 18:05 spinnakerbot