Bug #3040

[API] Replace is_trusted column and api_clients table with a configurable whitelist of client application URLs

Added by Tom Clegg about 5 years ago. Updated about 6 hours ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
3.0

Description

Arbitrary "return_to" targets should not be accepted by the API server's login procedure.

The local workbench address(es) should be allowed. There should also be an admin-configurable, unexported, set of other exemptions (e.g., workbench addresses on other trusted clusters). Others should be denied.

The "is_trusted" attribute/conditions and the api_clients table should be removed.

Update text relating to trusted clients on "manage account" page, "make collection-sharing link" feature, and install docs.


Related issues

Related to Arvados - Feature #15582: [API] [Controller] Per-user client login permissionsNew

Has duplicate Arvados - Bug #15560: [API] Restrict endpoints and/or prompt user before giving out tokenDuplicate

History

#1 Updated by Tom Clegg over 4 years ago

  • Target version set to 2015-04-29 sprint

#2 Updated by Tom Clegg over 4 years ago

  • Description updated (diff)
  • Category set to API

#3 Updated by Tom Clegg over 4 years ago

  • Target version changed from 2015-04-29 sprint to Arvados Future Sprints

#4 Updated by Tom Clegg almost 2 years ago

  • Description updated (diff)
  • Story points deleted (2.0)
  • Tracker changed from Story to Bug
  • Subject changed from Replace the ApiClient is_trusted attribute with a per-{user,client} flag which is set by the user when logging in with a client for the first time. to [API] Replace is_trusted attribute with a per-{user,client} flag which is set by the user on first login to a given client

#5 Updated by Tom Clegg about 9 hours ago

  • Has duplicate Bug #15560: [API] Restrict endpoints and/or prompt user before giving out token added

#6 Updated by Tom Clegg about 8 hours ago

  • Description updated (diff)

#7 Updated by Tom Clegg about 6 hours ago

  • Description updated (diff)

#8 Updated by Tom Clegg about 6 hours ago

  • Subject changed from [API] Replace is_trusted attribute with a per-{user,client} flag which is set by the user on first login to a given client to [API] Replace is_trusted attribute with a configurable whitelist of client application URLs

#9 Updated by Tom Clegg about 6 hours ago

  • Subject changed from [API] Replace is_trusted attribute with a configurable whitelist of client application URLs to [API] Replace is_trusted column and api_clients table with a configurable whitelist of client application URLs

#10 Updated by Tom Clegg about 6 hours ago

  • Description updated (diff)

#11 Updated by Tom Morris about 6 hours ago

  • Story points set to 3.0

#12 Updated by Tom Clegg about 6 hours ago

  • Related to Feature #15582: [API] [Controller] Per-user client login permissions added

Also available in: Atom PDF