[OKAPI-762] Add read permission for discovery/deployment endpoints Created: 23/Sep/19 Updated: 21/Feb/20 Resolved: 09/Oct/19 |
|
| Status: | Closed |
| Project: | Okapi |
| Components: | None |
| Affects versions: | None |
| Fix versions: | 2.34.0 |
| Type: | New Feature | Priority: | P2 |
| Reporter: | Ian Hardy | Assignee: | Adam Dickmeiss |
| Resolution: | Done | Votes: | 0 |
| Labels: | platform-backlog, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||||||
| Sprint: | CP: sprint 74 | ||||||||||||||||||||
| Story Points: | 1 | ||||||||||||||||||||
| Development Team: | Core: Platform | ||||||||||||||||||||
| Description |
|
On the reference environments getting _/discovery/modules will show deployment descriptors that include database connection secrets. Example: https://folio-snapshot-okapi.aws/_/discovyer/modules Consider using a required permission like what is required to view the the _/env endpoint or some other approach to better secure the system. |
| Comments |
| Comment by Adam Dickmeiss [ 24/Sep/19 ] |
|
We could add permissions to access these for the internal Okapi module.. I believe this would be an incompatible change.. If a UI or other reads the env or discovery that would have to be changed or just not shown.. Perhaps not the case, so I do think that in virtuallly all cases, you would do the env/discover in the same areas as you'd do deployment... |