[ckan-discuss] Is CKAN Secure?

Joshua Tauberer tauberer+consulting at govtrack.us
Fri Jul 12 15:26:22 BST 2013


Hi, Claire.

The federal government ( https://catalog.data.gov/dataset) and the US 
Dept. of Health & Human Services ( http://hub.healthdata.gov/, which I 
help deploy) are both using CKAN 2.0. As far as I know, neither has seen 
any security issues.

The API works on the same permissions as the website. If you don't have 
permission to modify something on the web, you don't have permission to 
modify something through the API either.

Hope that helps,

-- 
- Joshua Tauberer
- http://razor.occams.info



On 07/11/2013 03:35 PM, Claire Bozic wrote:
>
> My agency has had some security issues over the last year that were 
> traced to an API.  We are currently working on installing CKAN 2.0. I 
> am not a programmer or a system security expert, so I wonder how 
> secure is CKAN?  I see some specific information about setting 
> permissions on DataStore to eliminate?/Reduce? security issues, but 
> not much else in the documentation that specifically references the 
> topic.
>
> When I read this, it sounds good but it also sounds like it could 
> potentially be a problem – is this available to outside users only if 
> specifically provided, or is this available to anyone by default?
>
>
>     “Programming with CKAN: meet version 3 of the API
>
> CKAN’s powerful application programming interface (API) makes it 
> possible for other machines and programs to automatically read, search 
> and update datasets. CKAN’s API was previously designed according to 
> REST <http://www.infoq.com/articles/rest-introduction> principles. 
> RESTful APIs are deservedly popular as a way to expose a clean 
> interface to certain views on a collection of data. However, for CKAN 
> we felt it would be better to give applications full access to CKAN’s 
> own internal machinery.
>
> A new version of the API – version 3 – trialled in beta in CKAN 1.8, 
> replaced the REST design with remote procedure calls, enabling 
> applications or programmers to call the same procedures as CKAN’s own 
> code uses to implement its user interface. Anything that is possible 
> via the user interface, and a good deal more, is therefore possible 
> through the API. This proved popular and stable, and so, with minor 
> tweaks, it is now the recommended API. Old versions of the API will 
> continue to be provided for backward compatibility.
>
> - See more at: 
> http://ckan.org/2013/05/13/announcing-ckan-2-0/#sthash.sCxWHmon.dpuf”
>
> What about this? Should this make me nervous?
>
> *From:*ckan-discuss-bounces at lists.okfn.org 
> [mailto:ckan-discuss-bounces at lists.okfn.org] *On Behalf Of *Pearce, 
> Matthew
> *Sent:* Wednesday, July 10, 2013 4:39 AM
> *To:* 'ckan-discuss at lists.okfn.org'
> *Subject:* [ckan-discuss] datahub.io suggestion - spam entries
>
> Hello
>
> I was having a look for some material on datahub.io 
> <http://datahub.io/> and noticed a number of entries that are likely 
> spam (e.g.1 
> <http://datahub.io/dataset/acquiring_mba_program_exactly_what_is_really_gmat_and_so_why_do_anyone_will_need_the_high_status> 
> e.g.2 
> <http://datahub.io/dataset/totally_free_grant_money_for_college_scholarship>). 
> This is just a piece of feedback from an infrequent user perspective. 
> I would be more than happy to click a simple ‘flag for 
> moderator’/’report spam’ button to reduce maintenance effort for the 
> admins (a la stackexchange). However, I’m not clear what the best 
> route is currently.
>
> It appears there are two types of login which open up options: 
> comments (DISQUS) and a site login.
>
> ·I noticed the DISQUS login option for comments. This has a ‘submit 
> feedback’ option on the gear in the lower right (when logged in). But 
> this feels more like a usability survey than a reporting channel.
>
> ·The site account seems to open up editing options. However I don’t 
> see a ‘flag for moderator’ option (or a delete button, which could be 
> harsh).
>
> Hope this is somewhat useful
>
> *Matthew Pearce*
>
> *Standards Manager (Analyst)*
>
> The National Archives, Kew, Surrey, TW9 4DU
>
> T: 0208 876 3444 ex: 2360
>
>
> Please don't print this e-mail unless you really need to.
>
> ---------------------------------------------------------------------------------
>
>
> National Archives Disclaimer
>
> This email and any files transmitted with it are intended solely for the use of the individual(s) to whom they are addressed. If you are not the intended recipient and have received this email in error, please notify the sender and delete the email. 
>
> Opinions, conclusions and other information in this message and attachments that do not relate to the official business of The National Archives are neither given nor endorsed by it.
>
>
> ------------------------------------------------------------------------------------
>
>
> The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and to others authorized to receive it. If you are not the intended recipient, you are hereby (a) notified that any disclosure, copying, distribution, or taking any action, with respect to the content of this information is strictly prohibited and may be unlawful, and are (b) kindly requested to inform the sender immediately and to destroy any copies. The Chicago Metropolitan Agency for Planning is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
>
> This message has been scanned for viruses and other harmful content upon transmission.
>
>
>
> _______________________________________________
> ckan-discuss mailing list
> ckan-discuss at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-discuss
> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-discuss
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-discuss/attachments/20130712/f8eb0f45/attachment-0001.htm>


More information about the ckan-discuss mailing list