Bug 1652450
Summary: | Capsule port 8443 reverse proxy opens up Satellite UI | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Tsai Li Ming <ltsai> |
Component: | Security | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED WONTFIX | QA Contact: | Roman Plevka <rplevka> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4 | CC: | ehelms, fgarciad, kkinge, lzap, mhulan, molasaga, pkthakur, tbrisker, vhernand |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-26 19:32:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tsai Li Ming
2018-11-22 06:55:08 UTC
We have assessed this BZ and there are a few considerations. The reverse proxy on the Capsule grants both UI and API access which in our view has the same security implications. In order to lock down just to the API we would have to build an access list of *all* API paths needed in order to not break functionality. Given there is no single rooted endpoint this is difficult and has the potential to miss an endpoint and break functionality. Additionally, some users see this as a feature that they use in order to access the application from clients or the Capsule itself. Given all of this, it is our recommendation that we close this BZ as wontfix. We would then opt to address https://bugzilla.redhat.com/show_bug.cgi?id=1743839 . |