Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CDM session credential pass-through. #2367

Open
natb1 opened this issue Apr 30, 2024 · 0 comments
Open

CDM session credential pass-through. #2367

natb1 opened this issue Apr 30, 2024 · 0 comments

Comments

@natb1
Copy link

natb1 commented Apr 30, 2024

Expected behavior

Not a bug - looking for clarification on the documentation and code.

Ideally, one might hope that the session credentials provided by the available identity providers (kerberos, openid, etc.) would be passed along to the CDM data sources to enforce access control at that layer. Furthermore, some users may infer that this level of security exists (possibly incorrectly) after going through the workflow they are familiar with for logging in to their identify provider / domain.

Actual behavior

As far as I can tell from reading the documents and the code, those tokens are only used (via the Shiro framework) to control access to the operational/postgres DB. Credentials for the CDM seem to be handled on a source by source basis, but generally the pattern seems to be using an application service account without passing through any session credentials.

To avoid confusion, it's clear that there are strong RBAC for webapi resources (in postgres/etc.) using the Shiro framework, and in a way this delegates the permissions of the CDM service account. This question is NOT about how session credential are passed from the client to the webapi. Instead, I am looking for clarification on which credentials are passed from the webapi to the CDM.

Question

Does the webapi make an effort to "pass-through" session credentials to the CDM data source in any way, or is the above description accurate?

For example, after going through an oauth flow, a user might expect that this is happening, but it is not clear if that is the case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant