GMS-2023-5909: User with permission to write actions can impersonate another user when auth token is configured in environment variable

Impact

When lakeFS is configured with ALL of the following:

• Configuration option auth.encrypt.secret_key passed through environment variable
• Actions enabled via configuration option actions.enabled (default enabled)

then a user who can configure an action can impersonate any other user.

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

ANY ONE of these is sufficient to prevent the issue:

• Do not pass auth.encrypt.secret_key through an environment variable.

For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described here.

• Disable actions.
• Limit users allowed to configure actions.