Details
-
Improvement
-
Resolution: Done
-
Major
-
None
Description
Roles PRD: https://docs.google.com/document/d/1_xUt5MzvlQH4du5ksK_dqfes6zcHpQDqGDYgQGYjiX4/edit?usp=sharing
The admin REST endpoint is unauthenticated . The documentation encourages the use of localhost to enforce only local access to the machine . The only way to allow external access is doing something clunky like SSH tunneling or establishing firewall rules to allow restricted access to the machine
This has several limitations
1) Users are developing own backend "admin UI applications", external monitoring apps, authentication server etc that need to be able to remotely access the adminAPI Users are using mechanisms like bastion hosts and HA proxy and firewalls to restrict access...this s is not always practical.
2) WIth distributed edge deployments, the ability to remotely connect to and administer sync gateway over public network may be more likely
3) Anyone with access to the machine (though mechanisms indicated earlier) can administer the admin API. So while the access is restricted to a specific machine(s) - there is no user authentication to restrict user level access. Additionally, there may be scenarios where different users may be allowed different roles (read-only, read-write, monitor etc)- Customer company policies have user-level restrictions and they need a way to enforce that
Leveraging RBAC users to enforce admin API access would be a likely candidate for implementation.