[FOLIO-778] Enforce permissions on Okapi administrative endpoints in CI builds Created: 16/Aug/17  Updated: 15/Jul/20  Resolved: 15/Jul/20

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Wayne Schneider Assignee: Wayne Schneider
Resolution: Done Votes: 0
Labels: ci
Remaining Estimate: Not Specified
Time Spent: 30 minutes
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-1134 Secure public AWS instances Open
Duplicate
is duplicated by FOLIO-1798 add Ansible role to secure Okapi inst... Closed
Relates
relates to FOLIO-1446 folio-ansible: update create-tenant-a... Closed
relates to OKAPI-362 Set up permissions for internal module Closed
relates to FOLIO-1336 bootstrap necessary user data in orde... Closed
relates to OKAPI-388 Preload permission(set)s when enablin... Closed
Sprint:
Development Team: Core: Platform

 Description   

We should set up mod-users , mod-login, mod-permissions, and mod-authtoken for the Okapi supertenant, create a user, and require login to update Okapi admin endpoints



 Comments   
Comment by Wayne Schneider [ 23/Aug/17 ]

This will have to await the release of Okapi 1.10.0

Comment by Wayne Schneider [ 16/Mar/18 ]

Reopening this issue, it is a better description of what needs to be done than FOLIO-759 Open .

Comment by Wayne Schneider [ 27/Jul/18 ]

See https://github.com/folio-org/okapi/blob/master/doc/securing.md

Comment by Wayne Schneider [ 29/Aug/18 ]

Heikki Levanto, John Malconian (and other interested parties) – what is the best approach here?

It seems like the best procedure to document (in https://github.com/folio-org/folio-install) and implement (in https://github.com/folio-org/folio-ansible) would be to secure the supertenant first, then build the rest of the system using the supertenant superuser you create (see FOLIO-1336 Closed ). The only problem I have is that then there are really kind of two superusers – one for the supertenant, and one for the created tenant – but maybe that's OK (after all, there may be many tenants, not just one).

Other thoughts?

Comment by John Malconian [ 30/Aug/18 ]

t seems like the best procedure to document (in https://github.com/folio-org/folio-install) and implement (in https://github.com/folio-org/folio-ansible) would be to secure the supertenant first, then build the rest of the system using the supertenant superuser you create (see FOLIO-1336 Closed ).

Agreed

Comment by Wayne Schneider [ 15/Jul/20 ]

This was done long ago.

Generated at Thu Feb 08 23:08:15 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.