[CKAN-Security] CKAN security best practices
adria.mercader at okfn.org
Thu Feb 28 13:50:45 UTC 2019
Thanks for reaching out.
There is not a dedicated security best practices document as far as I know.
General practices for securing web applications should apply. At the CKAN
level you might want to review your authorization settings, although the
ones used by default offer a good starting point:
Yes, the user list was public by default up until recently. On CKAN 2.8
there was an option to just show it to logged in user, and on the next
version if will be only available to sysadmins (
https://github.com/ckan/ckan/pull/4654). In the meantime you can override
the user_list auth function quite easily to prevent public access to the
user list. Don't hesitate to write to the dev mailing list if you need
support on that.
Hope this helps,
On Thu, 28 Feb 2019 at 09:58, Andrew Wild <andrew.wild at servian.com> wrote:
> I'm currently in the process of evaluating CKAN's security framework for
> an open data portal we're building. I'm wondering if you have any reference
> documentation for security best practices when installing CKAN?
> On a related note, I've noticed that on some CKAN installations, I can hit
> the user_list API without an authorisation token and get a list of
> usernames, names and sysadmin (TRUE/FALSE). I'm presuming this is not the
> recommended approach, is there any documentation you can share that allows
> sysadmins to limit the API calls that are available to users?
> *Andrew Wild* | Consultant | m: 0481 115 645 <0481115645> | p: +61 458
> 290 389 <+61458290389>
> Level 3, 200 Mary Street, Brisbane City QLD 4000
> CKAN security
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security