You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
glustercli at the moment uses the GD2 secret directly to generate a JWT auth token. This is not secure. Clients to GD2 are not supposed to be accessing GD2's auth secret directly. They should instead be provided a token from GD2, which they need to pass on when making their ReST calls.
Currently, GD2 creates a secret file with a random secret when starting, which used for JWT token validation. I propose that in addition to this secret file, an additional token file be generated which would contain the token to be used by glustercli.
glustercli should use this default token file, and provide ways to specify an explicit token (env-variable/CLI options).
I only came upon the issue when reviewing #1021. Refer my comment for more context.
glustercliat the moment uses the GD2 secret directly to generate a JWT auth token. This is not secure. Clients to GD2 are not supposed to be accessing GD2's auth secret directly. They should instead be provided a token from GD2, which they need to pass on when making their ReST calls.Currently, GD2 creates a secret file with a random secret when starting, which used for JWT token validation. I propose that in addition to this secret file, an additional token file be generated which would contain the token to be used by
glustercli.glusterclishould use this default token file, and provide ways to specify an explicit token (env-variable/CLI options).I only came upon the issue when reviewing #1021. Refer my comment for more context.