Skip to content

Deprecate "staging_upload_user" and "staging_upload_password" #3119

New issue
New issue
Open
Open
Deprecate "staging_upload_user" and "staging_upload_password"#3119
Labels
unscheduled
@jochenehret

Description

@jochenehret
jochenehret
opened on Dec 21, 2022

Issue

Deprecate the staging.auth.user and staging.auth.password credentials. They are used to protect some internal endpoints, but those have been secured with mTLS in the meantime.

Background: We need to ensure that all passwords are rotated regularly. We've enabled a password rotation and detected no downtimes for cf push or any other operation. If the credentials are not really used anymore, it would of course be better to remove them entirely.

cloud_controller_ng/config/cloud_controller.yml

Line 151 in dbeb9db

auth:

Context

The staging_upload_user/staging_upload_password are used to protect the following endpoints with basic authentication:

  1. GET /staging/packages/:guid
    https://github.com/cloudfoundry/cloud_controller_ng/tree/main/docs/internal#get-stagingpackagesguid

  2. GET /staging/v3/droplets/:guid/download
    https://github.com/cloudfoundry/cloud_controller_ng/tree/main/docs/internal#get-stagingv3dropletsguiddownload

  3. GET /staging/v3/buildpack_cache/:stack/:app_guid/download
    https://github.com/cloudfoundry/cloud_controller_ng/tree/main/docs/internal#get-stagingv3buildpack_cachestackapp_guiddownload

The three endpoints above are only used for the "NFS server mounted on the CC" scenario. Is this still a supported setup?

  1. GET /staging/jobs/:guid
    https://github.com/cloudfoundry/cloud_controller_ng/blob/ec8558268aa59131580a050f8870b8a5f5f69c57/app/presenters/api/staging_job_presenter.rb

Looks like dead code as the http scheme is not used anymore.

  1. GET /v2/buildpacks/:guid/download
    https://github.com/cloudfoundry/cloud_controller_ng/tree/main/docs/internal#get-v2buildpacksguiddownload

    cloud_controller_ng/app/controllers/runtime/buildpack_bits_controller.rb

    Line 10 in ec85582

    authenticate_basic_auth("#{path}/*/download") do

Not in use anymore as Diego downloads directly from blobstore?

  1. blobstore_url_generator

    cloud_controller_ng/lib/cloud_controller/dependency_locator.rb

    Line 190 in ec85582

    user: config.get(:staging, :auth, :user),

This function is used in different places:

https://github.com/cloudfoundry/cloud_controller_ng/blob/ec8558268aa59131580a050f8870b8a5f5f69c57/app/controllers/runtime/stagings_controller.rb
-> no use of blobstore_url_generator

cloud_controller_ng/app/controllers/internal/download_droplets_controller.rb

Line 17 in ec85582

get '/internal/v2/droplets/:guid/:droplet_checksum/download', :download_droplet_http

For internal endpoint GET /internal/v4/droplets/:guid/:droplet_checksum/download:
https://github.com/cloudfoundry/cloud_controller_ng/tree/main/docs/internal#get-internalv4dropletsguiddroplet_checksumdownload
-> in use, but without basich auth?

Metadata

Metadata

Assignees

No one assigned

    Labels

    unscheduled

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions