-
Task
-
Resolution: Won't Do
-
L3 - Default
-
None
-
7.13.0-alpha4
-
None
-
Kubernetes 1.16
On top of CAM-11293, I propose that HTTP Basic Authentication should be enabled for REST engine out-of-the-box. Reasons:
- Encourage secure-by-default. Requiring a user (especially that Camunda is open source software that can be used without training) understands that Camunda by default is insecure is not realistic.
- Potential risk of security breaches that damages for Camunda users and Camunda itself. Please learn from MongoDB (https://nakedsecurity.sophos.com/2018/09/19/here-we-mongo-again-millions-of-records-exposed-by-insecure-database/) and Elasticsearch (https://securityboulevard.com/2019/11/an-unsecured-elasticsearch-server-exposed-1-2-billion-user-records-containing-their-personal-and-social-information/)
- Most initial users will care more about Cockpit and Tasklist than REST. And when they do care about REST, adding an Authorization header is not a big effort, and with proper documentation/quickstart, should be smooth. And again, *with a good password*, more secure than no authentication.
I'd also argue that having a demo:demo account is a bad idea. It should be an auto-generated password that is shown to console on first startup (and provides a way to reset it if missing), and this auto-generation can be turned off. In Kubernetes/Helm environment, the auto-generated password is saved to a Kubernetes secret, which makes it both secure and convenient. But this is another topic.
Our experience with Camunda BPM Run: https://about.lovia.life/docs/infrastructure/camunda/ 
This is the controller panel for Smart Panels app
[CAM-11838] Enable REST Engine HTTP Basic Authentication by default
Thanks miklas.boskamp! I didn't realize that this was already in production.yml (https://github.com/camunda/camunda-bpm-platform/blob/127b4b692dd8ee469c44cb0aab2da08804c7fa94/distro/run/assembly/resources/production.yml#L28)
Hi hendy,
Camunda BPM Run ships with two configuration files. The default.yml is intended to give users an easy getting-started experience. If you want to use Run in production you should not use this configuration file. Instead, we encourage you to enable the production.yml by passing --production to the start script (this one has authentication enabled by default) or providing your own.
Please read the getting started guide for Camunda BPM Run. Also, have a look into the [Security Instructions](https://docs.camunda.org/manual/latest/user-guide/security/) which apply to all our distros.
I will close this ticket.
Cheers,
Miklas