[CKAN-Security] CKAN security best practices

David Read david.read at hackneyworkshop.com
Thu Feb 28 13:51:01 UTC 2019


Andrew,

Thanks for getting in touch. That particular item is a hangover from when
CKAN was designed more like a social network - it was a legitimate design
at the time but dated badly. There’s work in progress to change it in the
code: https://github.com/ckan/ckan/pull/4654 Most sites til now have simply
blocked this api path.

There's no security best practises doc, I’m afraid. My advice is to
understand the configuration and use the latest version.

If you're working with CKAN I'd encourage you to join the CKAN Association:
https://ckan.org/about/association/

Regards,
David

On Thu, 28 Feb 2019 at 08:58, Andrew Wild <andrew.wild at servian.com> wrote:

> Hi,
>
> I'm currently in the process of evaluating CKAN's security framework for
> an open data portal we're building. I'm wondering if you have any reference
> documentation for security best practices when installing CKAN?
>
> On a related note, I've noticed that on some CKAN installations, I can hit
> the user_list API without an authorisation token and get a list of
> usernames, names and sysadmin (TRUE/FALSE). I'm presuming this is not the
> recommended approach, is there any documentation you can share that allows
> sysadmins to limit the API calls that are available to users?
>
> Thanks,
> Andy
>
> --
> *Andrew Wild* | Consultant | m: 0481 115 645 <0481115645> | p: +61 458
> 290 389 <+61458290389>
> Level 3, 200 Mary Street, Brisbane City QLD
> <https://maps.google.com/?q=Level+3,+200+Mary+Street,+Brisbane+City+QLD&entry=gmail&source=g>
> 4000
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
>
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190228/be3987f1/attachment-0001.html>


More information about the Security mailing list