Project

General

Profile

Actions
Copy link

Bug #11616

closed

API tokens are not evaluated indepently of LDAP credentials

Added by Florian Heigl over 6 years ago. Updated about 5 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
François ARMAND
Category:
Architecture - Internal libs
Target version:
-
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
54
Name check:
Fix check:
Regression:

Description

Hi,

we just had some issue with our backed LDAP servers.
They're timing out on request, which also makes the Rudder UI login hang until finally there is a reply.
So far, so good.

The BAD thing we noticed is that API token based connections are blocked at the same time.
It seems that something in the spring (?) security module blocks for both authentication models if one is unavailiable.
This makes no sense considering the API tokens are not bound to users.
Nor do they even use an external authentication source at all.

Could you please check this and, if at all possible, untangle the two!?

Its one thing if user logon is blocked, but the machine-machine-interface should be available.
I was told (unverified) that it threw a 404 on the API in the end, that should be looked at.

Actions
Copy link

Also available in: Atom PDF