[linstor-gui] Block in-app LINSTOR auth setup at the nginx proxy

The upstream linstor-gui SPA exposes a "Users" / sign-in panel that
POSTs to /v1/security/* on the LINSTOR controller. If a cozystack user
turns on HTTP auth via that panel, every subsequent REST call —
including from this very GUI, which talks to the controller via mTLS,
not bearer tokens — starts returning 401, locking the user out of
LINSTOR with no in-product recovery path.

Now that authentication for the cozystack-shipped GUI is enforced one
layer up at the Ingress (oauth2-proxy + Keycloak), the in-app auth is
both redundant and a footgun. Short-circuit /v1/security/* in the
gateway nginx with a 403 + explanatory JSON body so the setting cannot
be enabled regardless of what the SPA renders. Other LINSTOR REST paths
(/v1/nodes, /v1/resource-definitions, /metrics, …) continue to proxy
through unchanged.

Verified on dev10:
  POST /v1/security/sign-in  -> 403 (with explanation body)
  GET  /v1/security/users    -> 403
  GET  /v1/nodes             -> 200

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
This commit is contained in:
Myasnikov Daniil 2026-04-13 20:04:27 +05:00
parent 574941123b
commit 7bf1622172

View file

@ -60,6 +60,24 @@ data:
try_files $uri $uri/ /index.html;
}
# Block the LINSTOR controller's auth/identity management endpoints.
# The upstream linstor-gui exposes a "Users" / sign-in panel that
# POSTs to /v1/security/* on the controller. If a cozystack user
# enables HTTP auth via that panel, every subsequent REST call
# (including from this very GUI, which proxies via mTLS, not
# bearer tokens) starts returning 401 and the user is locked out
# of LINSTOR with no in-product recovery path.
#
# Authentication for cozystack is handled one layer up at the
# Ingress (oauth2-proxy + Keycloak), so the in-app auth is not
# only redundant but actively dangerous. Refuse the calls here so
# the setting cannot be turned on regardless of what the SPA UI
# shows.
location /v1/security {
default_type application/json;
return 403 '{"ret_code":-1,"message":"LINSTOR auth setup is disabled by cozystack: authentication is enforced at the Ingress via Keycloak."}';
}
# Proxy LINSTOR REST API over mTLS to the controller
location /v1 {
proxy_pass {{ .Values.linstor.endpoint }};