-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read-only credentials #628
Comments
bazel-remote doesn't currently have an authorization library (I don't think htpasswd files support this, and I'm not sure of a good/general way to configure this for mTLS). So the only way I can think you could do this right now would be to use a second proxy server for authenticated-but-readonly access:
I'm open to suggestions for libraries that could support this entirely inside bazel-remote. |
Thanks for getting back so quickly. We are currently running the solution with a proxy in front (and bazel-remote works neatly FTR). But that means we're running a full nginx just to check a passwd file. I've had a look: It seems go-http-auth supports retrieving the username that is authenticated: When bazel-remote calls Line 428 in d8e9f56
That lands here: So it seems we could:
Having a "duplicate" of the user list in htpasswd and the config is arguably not super nice. An alternative would be to have two htpasswd files one for read users and one for write users. This then would leave us with the following options:
WDYT? I'm happy to give any of these a shot and send a PR if you think any of them is a viable option. |
I've been thinking about this, and I'm a little worried about letting the features diverge between mTLS and basic auth. So I think we should do a bit more research to see what other options there are first. In the meantime, I think running a separate proxy as you are doing is a reasonable solution. |
That's a good point. My initial thought was that we could use the common name on the subject of the client certificate. What will get a bit trickier is that there can be multiple usernames now (technically multiple TLS certificates or from basic auth), so we need to check that at least one is authorized. All that being said, it is true that this is getting quite non-trivial. So I empathize with the desire of seeing if there is a library in the ecosystem somewhere that does that (or is configurable to do that). I'm not sure I'm a good help here though (I have done a lot of Go, but not OSS so I have zero clues how to navigate the ecosystem). |
Follow up to #381, #59.
Related: #59 (comment)
It would be nice to have an option for different users for write / read permissions (without anonymous reads).
The use case is a company private cache where only CI is allowed to write to the cache but developers are allowed to pull from the cache.
The text was updated successfully, but these errors were encountered: