Fwd: [Bug 1103035] Re: Charm needed: Juju GUI
Gary Poster
gary.poster at canonical.com
Wed Jan 23 13:47:44 UTC 2013
On 01/23/2013 07:23 AM, Gary Poster wrote:
> On 01/23/2013 06:26 AM, Nicola 'teknico' Larosa wrote:
>> Comments below derive from discussion by frankban and me.
>
> Thank you for working on this. Replies below.
>
>>
>>>> Robert Ayres wrote:
>>>> I've tested on EC2 and LXC.
>>>>
>>>> Please see bugs/comments below.
>>
>> Gary Poster wrote:
>>> My thoughts on these, fwiw.
> ...
>>>> *If you use the 'user', 'password' config options then these can be
>>>> obtained simply by accessing the URL - https://xxx/juju-
>>>> ui/assets/config.js .
>>
>>> I am inclined to think that this is merely a warning that we add to
>>> those configuration values. Alternatively, do we have a use case for
>>> this other than improv? If we don't, maybe we should remove these
>>> options as dangerous and only set the admin/admin authentication with
>>> the "staging" module?
>>
>> I like the second option more. The possibility to set supposedly secret
>> credentials gives a sense of false security, since those credentials are
>> not secret at all.
>>
>> If non-improv use cases exist, I would still remove the config options
>> and replace them with a skip-auth option, and hardwired credentials like
>> "PUBLIC_USERNAME" and "PUBLIC_PASSWORD", to be manually enabled in the
>> Juju auth backend, with an explicit warning to the user about the
>> consequences. But probably we don't need all this.
>
> OK. Let me run this by Kapil and see if I can get his blessing on the
> simple "staging options automatically sets the admin password" approach,
> or another direction. I'll reply asap--I should see him within the next
> two hours.
Kapil gave a +1 to removing the admin/password options and using the
"staging options automatically sets the admin password," so if there are
no objections, let's go that way.
Gary
More information about the Juju-GUI
mailing list