[CKAN-Security] CKAN security best practices
andrew.wild at servian.com
Thu Feb 28 23:10:09 UTC 2019
Thanks for the swift reply and the valuable information - much appreciated.
Yea, I saw the user_list function shortly after I sent the email yesterday.
I'll drop an email today to the sysadmins of the CKAN installations that
are still exposing the user_list to give them a heads up (and with some
instructions on how to fix it).
I'll send a note to the dev group if I spot anything else.
On Thu, 28 Feb 2019 at 23:50, Adrià Mercader <adria.mercader at okfn.org>
> Hi Andrew,
> Thanks for reaching out.
> There is not a dedicated security best practices document as far as I
> know. General practices for securing web applications should apply. At the
> CKAN level you might want to review your authorization settings, although
> the ones used by default offer a good starting point:
> Yes, the user list was public by default up until recently. On CKAN 2.8
> there was an option to just show it to logged in user, and on the next
> version if will be only available to sysadmins (
> https://github.com/ckan/ckan/pull/4654). In the meantime you can override
> the user_list auth function quite easily to prevent public access to the
> user list. Don't hesitate to write to the dev mailing list if you need
> support on that.
> Hope this helps,
> On Thu, 28 Feb 2019 at 09:58, Andrew Wild <andrew.wild at servian.com> wrote:
>> I'm currently in the process of evaluating CKAN's security framework for
>> an open data portal we're building. I'm wondering if you have any reference
>> documentation for security best practices when installing CKAN?
>> On a related note, I've noticed that on some CKAN installations, I can
>> hit the user_list API without an authorisation token and get a list of
>> usernames, names and sysadmin (TRUE/FALSE). I'm presuming this is not the
>> recommended approach, is there any documentation you can share that allows
>> sysadmins to limit the API calls that are available to users?
>> *Andrew Wild* | Consultant | m: 0481 115 645 <0481115645> | p: +61 458
>> 290 389 <+61458290389>
>> Level 3, 200 Mary Street, Brisbane City QLD 4000
>> CKAN security
>> Repo: https://github.com/ckan/ckan-security
*Andrew Wild* | Consultant | m: 0481 115 645 <0481115645> | p: +61 458 290
Level 3, 200 Mary Street, Brisbane City QLD 4000
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security