Proposal: List functions without any form of authentication about faas-provider HOT 12 CLOSED

Derek add label: proposal

from faas-provider.

Hi @MineMS49 ,

What is your use-case and the motivation for this?
How the available /system/functions endpoint does not work in that case?

I suppose you need the functions list without authentication. Can you give us more details?

Thanks,
Ivana

from faas-provider.

Thank you for the reply @ivanayov,

The use case is pretty simple:

A user call a function
A filtering function receives parameters and permission for this user
Before sending the request, it checks if the function exists
It sends the request
It pulls back to the user the result

Here, as /system/functions can be accessed only with authentication there is no other way to check if the function called exists.
It annoys me to enter credentials in the filter function that's why I'm looking for an endpoint that has the list of all functions without authentication.

Of course, getting the functions list from /system/functions is possible and there's no problem about that. The point is, between the interface and the service, there are external access that can listen and read packets passing by.

from faas-provider.

Let's get some feedback on your proposal from the community.
I think it can be a security leak to give access to function names in production.

But meanwhile you can solve your problem by checking if the function url exists. Would that work for you?

from faas-provider.

Ok, I understand more of the problem that can lead to a security leak. I thought about it and I suggest a slightly different proposal :
→ Add a new user to OpenFaas which has access in read only to a new endpoint. This means there's no more issues with the admin credential and also, as it still needs an authentication, no information will be exposed.

From my point of view it's a feature that can be added, but not enabled by default to prevent any bad use.

I made a visual explanation of the current situation and the proposal I'm talking about.

from faas-provider.

Derek set title: Add non-admin user with read-only permissions

from faas-provider.

Derek add label: proposal

from faas-provider.

Thanks for your proposal @MineMS49

We need to figure out what a non-admin user would mean in terms of OpenFaaS.
If it is restricted to only list functions, then it might be some over engineering to create such, but let's see what do people think.
There can be use-cases like yours, where this is good-to-have.

@alexellis @LucasRoesler @johnmccabe @ewilde any thoughts?

from faas-provider.

Meanwhile, did the URL check help you?

One more suggestion is to store the credentials in a sealed secret used by the filter function. This way you will not need any extra efforts to provide them. ( Using secrets )

from faas-provider.

I'm still trying to understand the use-case and I'm not quite getting to that yet. This proposal is starting to look really complicated.

What is the trouble/issue as you are experiencing it now? Perhaps there is more than one way to resolve the issue for you other than the solution being proposed. I do find it helps to dig deeper into the issue rather than starting with a solution.

I'm hearing that you want to list functions without any security protecting that endpoint/method?

Alex

from faas-provider.

I suppose I explained my problem the hard way.
What I'm looking for is exactly a list of functions' names without authentication.

If it leads to security issues I was wondering if it's possible to add another user, non-admin user with read-only permissions, to retrieve the JSON located at http://localhost:8080/system/functions.

The fact is, on this JSON, I just need the "name" key values. I thought it could be easier to create another JSON with only "name" key values.

from faas-provider.

@MineMS49 I am going to close this issue, but feel free to comment and revisit if needed.

from faas-provider.