Should we turn off auth by default ? #1380
Replies: 1 comment 1 reply
-
|
+1 for linking openapi from the console. IIRC we had this with v1, at least in the upstream version. When it comes to disabling auth by default, I'm having a hard time with this. I think we had this a few times in the past, and are still struggling with this right now. Having "auth" as an afterthought, just opens up too many cracks in implementation and design. Just assume a default instance of postgres or openssh would come with auth disabled. If you absolutely want to disable authn/authz, then ok, having a Today, we have a bare minimum. And we do already know that having a more complex, finer grained approach is absolutely necessary. Having a reasonable good starter guide, it shouldn't be an issue to document something like: If you just want to try out Trustify, we recommend start it with |
Beta Was this translation helpful? Give feedback.
-
nice feedback. I added my now I'm |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Auth is important but I wonder if we make it too hard for first time users to introspect (via the browser) the REST APIs by having auth enabled by default. I would also like to make it easier for both auth/non auth users to refer back to REST API from the UX/browser.
We might consider having auth only on mutation or maybe enable default off ?
We should be all means have a rigorous auth story but it feels like we are hiding the REST API which can be another 'front door' ... while I am at it ... we have no link from the front page to the /openapi ... there is more we could do in terms of simple things to make the UX more useful for end users.
Thoughts ?
Beta Was this translation helpful? Give feedback.
All reactions