[linstor-gui] Block in-app LINSTOR auth setup at the nginx proxy
The upstream linstor-gui SPA exposes a "Users" / sign-in panel that POSTs to /v1/security/* on the LINSTOR controller. If a cozystack user turns on HTTP auth via that panel, every subsequent REST call — including from this very GUI, which talks to the controller via mTLS, not bearer tokens — starts returning 401, locking the user out of LINSTOR with no in-product recovery path. Now that authentication for the cozystack-shipped GUI is enforced one layer up at the Ingress (oauth2-proxy + Keycloak), the in-app auth is both redundant and a footgun. Short-circuit /v1/security/* in the gateway nginx with a 403 + explanatory JSON body so the setting cannot be enabled regardless of what the SPA renders. Other LINSTOR REST paths (/v1/nodes, /v1/resource-definitions, /metrics, …) continue to proxy through unchanged. Verified on dev10: POST /v1/security/sign-in -> 403 (with explanation body) GET /v1/security/users -> 403 GET /v1/nodes -> 200 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com>
This commit is contained in:
parent
574941123b
commit
7bf1622172
1 changed files with 18 additions and 0 deletions
|
|
@ -60,6 +60,24 @@ data:
|
|||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
|
||||
# Block the LINSTOR controller's auth/identity management endpoints.
|
||||
# The upstream linstor-gui exposes a "Users" / sign-in panel that
|
||||
# POSTs to /v1/security/* on the controller. If a cozystack user
|
||||
# enables HTTP auth via that panel, every subsequent REST call
|
||||
# (including from this very GUI, which proxies via mTLS, not
|
||||
# bearer tokens) starts returning 401 and the user is locked out
|
||||
# of LINSTOR with no in-product recovery path.
|
||||
#
|
||||
# Authentication for cozystack is handled one layer up at the
|
||||
# Ingress (oauth2-proxy + Keycloak), so the in-app auth is not
|
||||
# only redundant but actively dangerous. Refuse the calls here so
|
||||
# the setting cannot be turned on regardless of what the SPA UI
|
||||
# shows.
|
||||
location /v1/security {
|
||||
default_type application/json;
|
||||
return 403 '{"ret_code":-1,"message":"LINSTOR auth setup is disabled by cozystack: authentication is enforced at the Ingress via Keycloak."}';
|
||||
}
|
||||
|
||||
# Proxy LINSTOR REST API over mTLS to the controller
|
||||
location /v1 {
|
||||
proxy_pass {{ .Values.linstor.endpoint }};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue