-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE:none
does not disable Identity-based authentication
#18726
Comments
Likelihood high because it is documented as such, and severity mid because there is a workaround present. We should probably resolve this in the helm charts. |
I believe the culprit is: https://github.com/camunda/camunda-platform-helm/blob/95625f4295bcf141cf434a50f2005f7489aa00d9/charts/camunda-platform-alpha/templates/zeebe-gateway/configmap.yaml#L18-L21 {{- if .Values.zeebe.enabled -}}
kind: ConfigMap
metadata:
name: {{ include "zeebe.fullname.gateway" . }}-configuration
labels:
{{- include "zeebe.labels.gateway" . | nindent 4 }}
apiVersion: v1
data:
gateway-log4j2.xml: |
{{- if .Values.zeebeGateway.log4j2 }}
{{ .Values.zeebeGateway.log4j2 | indent 4 | trim }}
{{- end }}
{{- if .Values.zeebeGateway.configuration }}
application.yaml: |
{{ .Values.zeebeGateway.configuration | indent 4 | trim }}
{{- else }}
application.yaml: |
{{- if .Values.global.identity.auth.enabled }}
spring:
profiles:
active: "identity-auth" |
My thought is that we should change that the profile is not made active on the gateway if the |
@aabouzaid and I investigated resolving this in the helm charts. Our first thought was that the value of the environment variable
We then explored some ideas how we could ensure that the spring profile A better solution is to allow users of Zeebe Gateway to both enable the Next, I'll explore what the |
## Description <!-- Describe the goal and purpose of this PR. --> <!-- --> <!-- For structural or foundational CI changes request review from @cmur2 --> As documented, the authentication of the Gateway can be completely disabled by setting `security.authentication.mode: none`. >The authentication could be disabled by `setting security.authentication.mode: none` in the Gateway configuration file or via `ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=none` as environment variable. See: https://docs.camunda.io/docs/self-managed/zeebe-deployment/security/client-authorization/#camunda-identity-authorization For the GRPC API, this already works because we explicitly apply the security configuration: https://github.com/camunda/camunda/blob/a5a1003acfbe210482b38eea445d880f3f0023f6/zeebe/gateway-grpc/src/main/java/io/camunda/zeebe/gateway/Gateway.java#L387 For the REST API, the security configuration is controlled through Spring magix. This made it easy to fix, but hard to test. The only solution I could think of was an integration test in the same style as `GatewayAuthenticationIdentityIT`. https://github.com/camunda/camunda/blob/a5a1003acfbe210482b38eea445d880f3f0023f6/dist/src/main/java/io/camunda/zeebe/shared/security/SecurityConfiguration.java#L62-L64 ## Related issues closes #18726
Describe the bug
It should be possible to set the env var
ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=none
, then use the Zeebe REST API without authenticating via Identity/Keycloak as mentioned in our docsTo Reproduce
The result is a 401 Unauthorized error.
Expected behavior
Setting
ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE
tonone
should disable Identity-based authentication.Hint
Customer said that: If the spring.profiles.active: identity-auth in zeebe-gateway/configmap.yaml is commented-out/deactivated, then the Identity-based authentication is disabled.
Environment:
Related to support case SUPPORT-22024
The text was updated successfully, but these errors were encountered: