Add authentication for WUI access #1911
Labels
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Reference: tahoe-lafs/trac-2024-07-25#1911
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
At the moment anyone can access Tahoe-LAFS WUI and perform dangerous tricks such as filling up storage space.
Workarounds are using iptables and nginx as proxy to Tahoe-LAFS.
It would be very nice to have WUI's own authentication capability.
Brian has ideas and even, IIUC, a working prototype that controls access to a WUI.
This ticket is related to #1455, #1859, #1447, #1215, #860, #855, #587. I'm not sure if is is a duplicate of one of them or some combination of them. luckredhot: could you please clarify this ticket by spelling out what would allow us to close this ticket as "fixed"? I think it might be something like "All and only people who've been explicitly authorized by the node admin can use the WUI.". Does that sound right?
Brian: please advise on how this ticket should be written.
Under authentication I've just meant Basic access authentication: http://en.wikipedia.org/wiki/Basic_access_authentication described by RFC 2617 which can prevent accessing UI without providing login/password pair.
Of course it may be optional and also combined with other security techniques.
It would be also interesting to look on Brian's prototype.
Basic authentication is insecure unless over a secure channel (e.g. TLS).
Replying to davidsarah:
Replying to [luckyredhot]comment:4:
I will rephrase.
Basic authentication does not provide secure authentication unless over a channel that already provides confidentiality.
It is possible to access the WUI over TLS: source:docs/configuration.rst#overall-node-configuration.
Ok, I have explained authorization techniques in FAQ https://tahoe-lafs.org/trac/tahoe-lafs/wiki/FAQ#Q30_authorization.
No need to implement Tahoe own authorization at the moment.
If someone need it you may reopen the ticket.