User management: Security flaws?

Hello, I’ve encountered multiple Problems regarding user restrictions:

If I am running the Deadline remote connection Server and someone is having their repository set to a local repository in the launcher icon. Then switches to a “remote connection” in the change repository dialog, then launches the monitor, it creates a new user, is then part of the “everyone” group -so far so … okay. One could ask “Why is a very restricted user able to create new users” - but okay.

Now even though the “everyone” group does not allow to switch the user for that repository (everything is “red” except ‘switch repository’ for launcher and monitor menu), the one who is connected via remote connection is still able to run deadlinecommand with the -changeuser flag for that remote repository and gets the dialog for changing users. Now even though all users in that dialog have passwords set, he is able to change users freely without password authentication even though it’s not allowed for “everyone”.

Is the user system not meant to be used like that?

Is it enough to set the passwords of users in the “manage users” panel under “Web Service Authentication” or am I overseeing a dialog here?

As it stands today, Deadline has traditionally been deployed in networks with basic trust assumed. Because historically, this security has not been a requirement by studios (you’re one of the few to dig in this deeply) it hasn’t been high on the “todo” list.

That isn’t to say we aren’t considering it.

Traditionally, for two-tiered studios where one section is working on secret work and another isn’t, the high security render farm is restricted by not being connected to the network at all. If both sides are somewhat more permissive, it’s possible to use file-system level restrictions for some access control as without the scripts or read access to the “settings” folder the applications can’t start.

The username/password for the web service will secure web endpoints but will no secure RCS (previously Proxy) connections.

Allright then good to know! :slight_smile:

Thanks for the answer.