Closed
Bug 1369384
Opened 8 years ago
Closed 6 years ago
improve balrog authentication story
Categories
(Release Engineering Graveyard :: Applications: Balrog (backend), enhancement, P3)
Release Engineering Graveyard
Applications: Balrog (backend)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bhearsum, Unassigned)
References
Details
(Whiteboard: [lang=python])
Balrog currently uses HTTP Basic authorization, which is handled by nginx (which uses LDAP as a backend). This is not ideal for humans (because we can't enforce MFA) nor machines (because we don't like using username+password auth for machines). We should improve this by using auth0 for human authentication, and some sort of token based thing (oauth2?) for machine authentication.
|
Reporter | |
Comment 1•8 years ago
|
||
https://mana.mozilla.org/wiki/display/SVCOPS/auth0proxy might be helpful for this.
|
|
Reporter | |
Comment 2•8 years ago
|
||
Julien, catlee thought you might have some thoughts on this.
|
||
Comment 3•8 years ago
|
||
I think the auth0proxy story would solve this, so we should piggyback on it. CC-ing miles who's working on that project.
Kang might have ideas for the machine token story using auth0, cc-ing him as well.
|
||
Comment 4•8 years ago
|
||
The auth0proxy is still WIP and is basically a "when I have time" level of priority. There is still some work to be done on it and I'm fairly tied up, so I can't give an absolute date.
Having auth0 in front of your app is a prerequisite to using the auth0proxy, and we already have admin panel applications that have auth0 in front of them using lua-resty-openidc and nginx. CC'ing relud who would be able to easily implement that auth in front of balrog admin.
|
|
Reporter | |
Comment 5•8 years ago
|
||
I'm most likely going to be looking at this in the next couple of months.
Assignee: nobody → bhearsum
Whiteboard: [lang=python]
|
|
Reporter | |
Comment 6•8 years ago
|
||
This has been deprioritized, unassigned for now.
Assignee: bhearsum → nobody
|
|
Reporter | |
Updated•7 years ago
|
Priority: P2 → P3
|
|
Reporter | |
Comment 7•7 years ago
|
||
The current authentication situation was raised in a recent AUS security audit as something to be replaced. In particular, they noted that HTTP auth offers insufficient protection against brute force. We should really switch to Auth0.
I think the authorization story is a different matter, with no obvious solution. Even if we move it out of Balrog itself, that should be a separate project. I'm rescoping this bug to look specifically at authentication - which is the more pressing piece.
Summary: improve balrog auth story → improve balrog authentication story
|
|
||
Comment 9•7 years ago
|
||
We stopped working on the auth0proxy because downstream apps would still need to have openresty with some openidc logic in front of them to verify sessions, i.e. it did not offer much.
We use the lua-resty-openidc openresty modules to handle auth0 in a number of other cases, and I think that would work here. I'm no longer on ops for balrog - that baton has been passed to oremj.
Flags: needinfo?(miles)
|
|
Reporter | |
Comment 10•6 years ago
|
||
We moved to auth0 last week!
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Product: Release Engineering → Release Engineering Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•