Docker Community Forums

Share and learn in the Docker community.

Various authn/z related issues

(Alm. Brand Docker admins) #1
  1. I can log in as any LDAP user (who is not UCP admin) and direct my browser at https://<ucp-controller>/#/users or https://<ucp-controller>/#/settings to change settings otherwise reserved for UCP admins. This also ‘works’ with “built-in” auth mode for non-Admin users.
  • The “search account password” field in the /#/settings GUI contains the saved password in plaintext - also once settings have been saved. Combined with the above, it means that any user can read the password of the search account using e.g. Chrome Dev Tools and changing the input type from “password” to “text”.

  • When auth method is set to “built-in”, I can occasionally see the entire list of containers, even if logged in with a user which only has access to some labels. I have seen this happening when returning from removing a container which had a label that my user could control (“Full control”).

  • With LDAP auth mode, I have no way to specify a minimum access level for users or groups, rendering them unable to list containers at all - even the ones they have access to through labels assigned to teams they are members of. Example:

{"level":"warning","msg":"access denied: method=GET path=/containers/json user=********","time":"2016-02-17T15:47:11Z"}

(Alm. Brand Docker admins) #2

I can verify that 1. and 4. have been positively taken care of in 0.9.0 (524de07). I have not managed to reproduce 3., but 2. is still a valid issue.

I’ll open a separate thread for an issue related to what images a user can start containers from, and what labels they have access to.

(Vivek Saraswat) #3

Hi almdocker, thanks for the feedback. We’ll look into 2, and let me know if you reproduce 3.