[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[che-dev] Single user mode broken
|
Hi all,
While implementing
https://github.com/eclipse/che/issues/15651, i.e. securing Theia and che-machine-exec, I managed to completely break single user mode.
The reason for that is that to properly secure these two plugins, it is necessary that they only listen only on localhost and the connection from outside is proxied by jwt proxy.
This unfortunately breaks single user mode that doesn't make any provisions for servers that are inaccessible from outside.
I personally completely forgot about single user mode, which is the default only in helm-based deployments. Unfortunately our testsuite didn't catch my omission either as it doesn't cover starting a workspace in single user mode.
There is a couple of possible solutions to the problem.
1) Reverting
https://github.com/eclipse/che-plugin-registry/pull/378 which would make che-machine-exec and che-theia listen on 0.0.0.0. This makes them vulnerable to cross-pod/namespace unauthenticated access though.
2) Implement and deploy a passthrough proxy that would play the role of jwt proxy in single user mode. This requires change in che-server and finding/implementing the passthrough proxy.
3) Somehow enable "switching" versions of the che-theia and che-machine-exec. This could be done for example by "forking" plugin registry and provide a "single user friendly" versions of the plugins in the fork. Users requiring single user mode could deploy this alternative version of plugin registry.
Sorry for the complications and hope to find a quick and workable solution.
Thanks,
Lukas
