IAP 用户可以在未经许可的情况下访问 Cloud Run
[英]IAP User is able to access a Cloud Run without permission
问题描述
Steps to reproduce this:
重现此的步骤:
- create a Cloud Run service with "Require authentication" options setup ingress options to be "Allow internal traffic and traffic from Cloud Load Balancing"使用“需要身份验证”选项创建 Cloud Run 服务,将入口选项设置为“允许内部流量和来自 Cloud Load Balancing 的流量”
- expose the service using and External Load Balancer with IAP enabled使用启用 IAP 的外部负载均衡器公开服务
- give the user the role "IAP-Secured Web App User" for the backend service为用户提供后端服务的角色“IAP-Secured Web App User”
The user will be able to access the Cloud Run service without explicit permission.用户无需明确许可即可访问 Cloud Run 服务。
You can follow this tutorial to have a working examples hodo.dev/posts/post-30-gcp-cloudrun-iap/您可以按照本教程获得一个工作示例hodo.dev/posts/post-30-gcp-cloudrun-iap/
Is this a bug or is the expected behavior?这是一个错误还是预期的行为?
If this is expected then where this implicit user permission is documented?如果这是预期的,那么这个隐式用户权限记录在哪里?
1 个解决方案
解决方案1
1 2022-01-05 20:58:03
Google's Identity Aware Proxy (IAP) acts a front-end for access to back-end systems. Google 的身份识别代理 (IAP) 充当访问后端系统的前端。 For certain back-ends, if a request is received by IAP, then IAP will do the work to validate that the user is suitably authorized to make the final request.对于某些后端,如果 IAP 收到请求,则 IAP 将执行工作以验证用户是否被适当授权以发出最终请求。 What this implies is that if a request directly to the backend then the backend will have the responsibility for approval.这意味着如果直接向后端提出请求,那么后端将负责批准。 However, if we route through IAP, then we have delegated to IAP the approval responsibility.但是,如果我们通过 IAP 进行路由,那么我们已将批准责任委托给 IAP。 As such, the requesting user will be able to access the services of the backend (eg. Cloud Run) without needing explicit Cloud Run approval because we have defined that IAP can make the decision and Cloud Run trusts that IAP's decision is sufficient.因此,请求用户将能够访问后端服务(例如 Cloud Run),而无需明确的 Cloud Run 批准,因为我们已经定义 IAP 可以做出决定,并且 Cloud Run相信IAP 的决定是足够的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.