API endpoint for core v1 compatibility not properly protected by auth config #2394

EricWittmann · 2022-04-04T13:55:55Z

There is a 'legacy' endpoint located at /api/ that is just an alias for the Core V1 API that was moved to /apis/registry/v1. This endpoint should be disabled or protected when enabling auth, but it currently bypasses the auth check.

The text was updated successfully, but these errors were encountered:

EricWittmann · 2022-04-04T13:56:50Z

This is an issue that affected version 2.0.x of registry. However, starting with 2.1.x we have re-written the authentication/authorization layer so that Quarkus policies (configured in application.properties) are no longer used. The new approach is not subject to the above issue.

EricWittmann · 2022-04-04T13:59:36Z

The workaround for the 2.0.x version is to disable the core v1 legacy endpoint by setting the following ENV variable:

REGISTRY_DISABLE_APIS to have the value /apis/ibmcompat/.*,/api/.*

EricWittmann closed this as completed Apr 4, 2022

EricWittmann added version/2.0.x type/bug Something isn't working labels Apr 4, 2022

EricWittmann self-assigned this Apr 4, 2022

dlydiard mentioned this issue Mar 10, 2023

OLM Subscription does not honor Subscription Configs / Allow disabling v1 APIs Apicurio/apicurio-registry-operator#196

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

API endpoint for core v1 compatibility not properly protected by auth config #2394

API endpoint for core v1 compatibility not properly protected by auth config #2394

EricWittmann commented Apr 4, 2022

EricWittmann commented Apr 4, 2022

EricWittmann commented Apr 4, 2022

API endpoint for core v1 compatibility not properly protected by auth config #2394

API endpoint for core v1 compatibility not properly protected by auth config #2394

Comments

EricWittmann commented Apr 4, 2022

EricWittmann commented Apr 4, 2022

EricWittmann commented Apr 4, 2022