Comments (12)
Derek add label: proposal
from faas-provider.
Hi @MineMS49 ,
What is your use-case and the motivation for this?
How the available /system/functions
endpoint does not work in that case?
I suppose you need the functions list without authentication. Can you give us more details?
Thanks,
Ivana
from faas-provider.
Thank you for the reply @ivanayov,
The use case is pretty simple:
A user call a function
A filtering function receives parameters and permission for this user
Before sending the request, it checks if the function exists
It sends the request
It pulls back to the user the result
Here, as /system/functions
can be accessed only with authentication there is no other way to check if the function called exists.
It annoys me to enter credentials in the filter function that's why I'm looking for an endpoint that has the list of all functions without authentication.
Of course, getting the functions list from /system/functions
is possible and there's no problem about that. The point is, between the interface and the service, there are external access that can listen and read packets passing by.
from faas-provider.
Let's get some feedback on your proposal from the community.
I think it can be a security leak to give access to function names in production.
But meanwhile you can solve your problem by checking if the function url exists. Would that work for you?
from faas-provider.
Ok, I understand more of the problem that can lead to a security leak. I thought about it and I suggest a slightly different proposal :
→ Add a new user to OpenFaas which has access in read only to a new endpoint. This means there's no more issues with the admin credential and also, as it still needs an authentication, no information will be exposed.
From my point of view it's a feature that can be added, but not enabled by default to prevent any bad use.
I made a visual explanation of the current situation and the proposal I'm talking about.
from faas-provider.
Derek set title: Add non-admin user with read-only permissions
from faas-provider.
Derek add label: proposal
from faas-provider.
Thanks for your proposal @MineMS49
We need to figure out what a non-admin user would mean in terms of OpenFaaS.
If it is restricted to only list functions, then it might be some over engineering to create such, but let's see what do people think.
There can be use-cases like yours, where this is good-to-have.
@alexellis @LucasRoesler @johnmccabe @ewilde any thoughts?
from faas-provider.
Meanwhile, did the URL check help you?
One more suggestion is to store the credentials in a sealed secret used by the filter function. This way you will not need any extra efforts to provide them. ( Using secrets )
from faas-provider.
I'm still trying to understand the use-case and I'm not quite getting to that yet. This proposal is starting to look really complicated.
What is the trouble/issue as you are experiencing it now? Perhaps there is more than one way to resolve the issue for you other than the solution being proposed. I do find it helps to dig deeper into the issue rather than starting with a solution.
I'm hearing that you want to list functions without any security protecting that endpoint/method?
Alex
from faas-provider.
I suppose I explained my problem the hard way.
What I'm looking for is exactly a list of functions' names without authentication.
If it leads to security issues I was wondering if it's possible to add another user, non-admin user with read-only permissions, to retrieve the JSON located at http://localhost:8080/system/functions
.
The fact is, on this JSON, I just need the "name"
key values. I thought it could be easier to create another JSON with only "name"
key values.
from faas-provider.
@MineMS49 I am going to close this issue, but feel free to comment and revisit if needed.
from faas-provider.
Related Issues (20)
- Re-vendor into all "official" providers HOT 4
- Proxy status code is always 200 OK HOT 4
- Move gateway/requests to this package HOT 3
- Invalid import of httputils
- Add namespace support for logs HOT 3
- Add namespace support to the proxy package HOT 4
- Update provider proxy to match gateway's settings
- InfoRequest should be named InfoResponse HOT 2
- [Question] Should we remove the Dockerfile HOT 1
- Issue with link to server.go in README.md HOT 2
- Copy remaining request structs from the gateway HOT 4
- Fix 0.12.1 tag HOT 1
- Migrate from Travis to Github Actions
- Add route - /system/id HOT 7
- Return a typed error from the proxy when there are no endpoints available HOT 1
- Add created / updated into API for sorting / auditing HOT 4
- More specific error response for timeout HOT 1
- bug: http status is sometimes 0 in the metrics
- Break out proxying code from all providers HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from faas-provider.