From 7bf162217239ea35e4569371258d58dba0b7c5bf Mon Sep 17 00:00:00 2001 From: Myasnikov Daniil Date: Mon, 13 Apr 2026 20:04:27 +0500 Subject: [PATCH] [linstor-gui] Block in-app LINSTOR auth setup at the nginx proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The upstream linstor-gui SPA exposes a "Users" / sign-in panel that POSTs to /v1/security/* on the LINSTOR controller. If a cozystack user turns on HTTP auth via that panel, every subsequent REST call — including from this very GUI, which talks to the controller via mTLS, not bearer tokens — starts returning 401, locking the user out of LINSTOR with no in-product recovery path. Now that authentication for the cozystack-shipped GUI is enforced one layer up at the Ingress (oauth2-proxy + Keycloak), the in-app auth is both redundant and a footgun. Short-circuit /v1/security/* in the gateway nginx with a 403 + explanatory JSON body so the setting cannot be enabled regardless of what the SPA renders. Other LINSTOR REST paths (/v1/nodes, /v1/resource-definitions, /metrics, …) continue to proxy through unchanged. Verified on dev10: POST /v1/security/sign-in -> 403 (with explanation body) GET /v1/security/users -> 403 GET /v1/nodes -> 200 Co-Authored-By: Claude Opus 4.6 Signed-off-by: Myasnikov Daniil --- .../linstor-gui/templates/configmap-nginx.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/packages/system/linstor-gui/templates/configmap-nginx.yaml b/packages/system/linstor-gui/templates/configmap-nginx.yaml index 0ba8e4fe..2bc11fab 100644 --- a/packages/system/linstor-gui/templates/configmap-nginx.yaml +++ b/packages/system/linstor-gui/templates/configmap-nginx.yaml @@ -60,6 +60,24 @@ data: try_files $uri $uri/ /index.html; } + # Block the LINSTOR controller's auth/identity management endpoints. + # The upstream linstor-gui exposes a "Users" / sign-in panel that + # POSTs to /v1/security/* on the controller. If a cozystack user + # enables HTTP auth via that panel, every subsequent REST call + # (including from this very GUI, which proxies via mTLS, not + # bearer tokens) starts returning 401 and the user is locked out + # of LINSTOR with no in-product recovery path. + # + # Authentication for cozystack is handled one layer up at the + # Ingress (oauth2-proxy + Keycloak), so the in-app auth is not + # only redundant but actively dangerous. Refuse the calls here so + # the setting cannot be turned on regardless of what the SPA UI + # shows. + location /v1/security { + default_type application/json; + return 403 '{"ret_code":-1,"message":"LINSTOR auth setup is disabled by cozystack: authentication is enforced at the Ingress via Keycloak."}'; + } + # Proxy LINSTOR REST API over mTLS to the controller location /v1 { proxy_pass {{ .Values.linstor.endpoint }};