[CKAN-Security] CKAN security best practices

David Read david.read at hackneyworkshop.com
Thu Feb 28 15:08:40 UTC 2019


Ha, bingo Adria :)
D

On Thu, 28 Feb 2019 at 13:51, Adrià Mercader <adria.mercader at okfn.org>
wrote:

> Hi Andrew,
>
> Thanks for reaching out.
>
> There is not a dedicated security best practices document as far as I
> know. General practices for securing web applications should apply. At the
> CKAN level you might want to review your authorization settings, although
> the ones used by default offer a good starting point:
> https://docs.ckan.org/en/latest/maintaining/configuration.html#authorization-settings
>
> Yes, the user list was public by default up until recently. On CKAN 2.8
> there was an option to just show it to logged in user, and on the next
> version if will be only available to sysadmins (
> https://github.com/ckan/ckan/pull/4654). In the meantime you can override
> the user_list auth function quite easily to prevent public access to the
> user list. Don't hesitate to write to the dev mailing list if you need
> support on that.
>
> Hope this helps,
>
> Adrià
>
>
> On Thu, 28 Feb 2019 at 09:58, Andrew Wild <andrew.wild at servian.com> wrote:
>
>> Hi,
>>
>> I'm currently in the process of evaluating CKAN's security framework for
>> an open data portal we're building. I'm wondering if you have any reference
>> documentation for security best practices when installing CKAN?
>>
>> On a related note, I've noticed that on some CKAN installations, I can
>> hit the user_list API without an authorisation token and get a list of
>> usernames, names and sysadmin (TRUE/FALSE). I'm presuming this is not the
>> recommended approach, is there any documentation you can share that allows
>> sysadmins to limit the API calls that are available to users?
>>
>> Thanks,
>> Andy
>>
>> --
>> *Andrew Wild* | Consultant | m: 0481 115 645 <0481115645> | p: +61 458
>> 290 389 <+61458290389>
>> Level 3, 200 Mary Street, Brisbane City QLD 4000
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
>
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190228/dca19417/attachment-0001.html>


More information about the Security mailing list