Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cli): support bypassing Admin API Auth by configuration #9147

Merged
merged 21 commits into from
Apr 10, 2023
Merged

feat(cli): support bypassing Admin API Auth by configuration #9147

Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
ad5e732
feat(cli): support APISIX_ALLOW_NONE_AUTHENTICATION
An-DJ Mar 22, 2023
48c4941
fix wrong test
An-DJ Mar 23, 2023
88c7830
fix wrong test
An-DJ Mar 23, 2023
8089d47
fix wrong test config
An-DJ Mar 24, 2023
2111f54
bypass the auth if APISIX_ALLOW_NONE_AUTHENTICATION=true
An-DJ Mar 28, 2023
0395850
add hint
An-DJ Mar 28, 2023
b4332c7
change env var name
An-DJ Mar 29, 2023
c222260
Merge remote-tracking branch 'upstream/master' into allow-none-authen…
An-DJ Mar 29, 2023
8110123
add blank line
An-DJ Mar 29, 2023
d2cde14
add non-true check
An-DJ Mar 29, 2023
73ff74b
change env-config to file-config
An-DJ Mar 29, 2023
427782e
remove useless test
An-DJ Mar 29, 2023
d4bf713
add more test cases
An-DJ Mar 30, 2023
477687e
rewrite comments
An-DJ Mar 30, 2023
805edce
Correcting spelling problems
An-DJ Mar 30, 2023
7665604
correct spell problem
An-DJ Mar 30, 2023
bffbf56
correct warning
An-DJ Apr 4, 2023
3a08b52
correct comments
An-DJ Apr 4, 2023
aa15642
fix test err
An-DJ Apr 6, 2023
18c00b5
fix wrong test case
An-DJ Apr 6, 2023
97a5a8e
add more test cases
An-DJ Apr 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions apisix/admin/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,12 @@ local router

local function check_token(ctx)
local local_conf = core.config.local_conf()

-- check if admin_key is required
if local_conf.deployment.admin.admin_key_required == false then
return true
end

local admin_key = core.table.try_read_attr(local_conf, "deployment", "admin", "admin_key")
if not admin_key then
return true
Expand Down Expand Up @@ -395,6 +401,13 @@ function _M.init_worker()
events.register(reload_plugins, reload_event, "PUT")

if ngx_worker_id() == 0 then
-- check if admin_key is required
if local_conf.deployment.admin.admin_key_required == false then
core.log.warn("Admin key is bypassed! ",
"If you are deploying APISIX in a production environment, ",
"please disable it and set a secure password for the admin Key!")
moonming marked this conversation as resolved.
Show resolved Hide resolved
moonming marked this conversation as resolved.
Show resolved Hide resolved
end

local ok, err = ngx_timer_at(0, function(premature)
if premature then
return
Expand Down
7 changes: 7 additions & 0 deletions apisix/cli/ops.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,13 @@ local function init(env)
and #allow_admin == 1 and allow_admin[1] == "127.0.0.0/24" then
checked_admin_key = true
end
-- check if admin_key is required
monkeyDluffy6017 marked this conversation as resolved.
Show resolved Hide resolved
if yaml_conf.deployment.admin.admin_key_required == false then
checked_admin_key = true
print("Warning! Admin key is bypassed! "
.. "If you are deploying APISIX in a production environment, "
.. "please disable it and set a secure password for the admin Key!")
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

duplicate code

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add an issue for the duplicate code and fix it later.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that the only code common to both sides is:

if conf.deployment.admin.admin_key_required == false then
 print / log
end

Actually the output approach is different (before APISIX starting is print, after starting is log).

So IMHO, merge this two part to one function is unnecessary, because the common part is too simple (only with common part conf.deployment.admin.admin_key_required == false )


if yaml_conf.apisix.enable_admin and not checked_admin_key then
local help = [[
Expand Down
3 changes: 3 additions & 0 deletions apisix/cli/schema.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,6 +353,9 @@ local admin_schema = {
https_admin = {
type = "boolean",
},
admin_key_required = {
type = "boolean",
},
}
}

Expand Down
4 changes: 4 additions & 0 deletions conf/config-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,10 @@ deployment:
role_traditional:
config_provider: etcd
admin:
# admin_key required or not. Default value is true.
# Bypass the Admin API authentication by modifying this value to false if needed.
moonming marked this conversation as resolved.
Show resolved Hide resolved
# admin_key_required: true

# Default token when use API to call for Admin API.
# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
# Disabling this configuration item means that the Admin API does not
Expand Down
37 changes: 37 additions & 0 deletions t/admin/api.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,3 +156,40 @@ X-API-VERSION: v2
GET /t
--- response_body
passed



=== TEST 10: Access with api key, and admin_key_required=true
--- yaml_config
deployment:
admin:
admin_key_required: true
--- more_headers
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
--- request
GET /apisix/admin/routes
--- error_code: 200



=== TEST 11: Access without api key, but admin_key_required=true
--- yaml_config
deployment:
admin:
admin_key_required: true
--- request
GET /apisix/admin/routes
--- error_code: 401



=== TEST 12: Access without api key, but admin_key_required=false
moonming marked this conversation as resolved.
Show resolved Hide resolved
--- yaml_config
deployment:
admin:
admin_key_required: false
--- request
GET /apisix/admin/routes
--- error_code: 200
--- error_log
Admin key is bypassed!
56 changes: 56 additions & 0 deletions t/cli/test_admin.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,62 @@ fi

echo "pass: missing admin key and only allow 127.0.0.0/24 to access admin api"

# allow any IP to access admin api with empty admin_key, when admin_key_required=true

git checkout conf/config.yaml

echo '
deployment:
admin:
admin_key_required: true
monkeyDluffy6017 marked this conversation as resolved.
Show resolved Hide resolved
admin_key: ~
allow_admin:
- 0.0.0.0/0
' > conf/config.yaml

make init > output.log 2>&1 | true

if ! grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
echo "failed: should show 'ERROR: missing valid Admin API token.'"
exit 1
fi

echo '
deployment:
admin:
admin_key_required: false
admin_key: ~
allow_admin:
- 0.0.0.0/0
' > conf/config.yaml

make init > output.log 2>&1 | true

if grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
echo "failed: should not show 'ERROR: missing valid Admin API token.'"
exit 1
fi

if ! grep -E "Warning! Admin key is bypassed" output.log > /dev/null; then
echo "failed: should show 'Warning! Admin key is bypassed'"
exit 1
fi

echo '
deployment:
admin:
admin_key_required: invalid-value
' > conf/config.yaml

make init > output.log 2>&1 | true

if grep -E "path[deployment->admin->admin_key_required] expect: boolean, but got: string" output.log > /dev/null; then
echo "check admin_key_required value failed: should show 'expect: boolean, but got: string'"
exit 1
fi

echo "pass: allow empty admin_key, when admin_key_required=false"

# admin api, allow any IP but use default key

echo '
Expand Down