This only applies to users who have not specified the ExternalAuthorizationServer setting. Users who enable auth but do not override this setting in Flyte Admin’s configuration may unbeknownst to them be allowing public traffic in by way of this default password with attackers effectively impersonating propeller. This password is also set on the default Flyte Propeller configmap in the various Flyte Helm charts. In an effort to make enabling authentication easier for Flyte administrators, the default configuration for Flyte Admin allows access for Flyte Propeller even after turning on authentication via a hardcoded hashed password. Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet. To revert to the original behaviour, the administrator would therefore need to set these configuration parameter: -allow-remote-access=true -random-web-admin-password=false Note also that the h2 webconsole is never available in production mode, so these safeguards are only to ensure that the webconsole is secured by default also in prototype mode.įlyteAdmin is the control plane for the data processing platform Flyte. The password is printed to the log, as "webAdminPass: xxx" (where "xxx") is the password. As an additional safeguard, the new '-random-web-admin-password' configuration parameter (enabled by default) requires that the administrator use a randomly generated password to use the console. As of 2.0.0-M8, this can now be done using the '-allow-remote-access' configuration property the web console will be unavailable without setting this configuration. It was felt that it is safer to require the developer to explicitly enable this capability. When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |