Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cli): support bypassing Admin API Auth by configuration #9147

Merged
merged 21 commits into from
Apr 10, 2023
Merged

feat(cli): support bypassing Admin API Auth by configuration #9147

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
ad5e732
feat(cli): support APISIX_ALLOW_NONE_AUTHENTICATION
An-DJ Mar 22, 2023
48c4941
fix wrong test
An-DJ Mar 23, 2023
88c7830
fix wrong test
An-DJ Mar 23, 2023
8089d47
fix wrong test config
An-DJ Mar 24, 2023
2111f54
bypass the auth if APISIX_ALLOW_NONE_AUTHENTICATION=true
An-DJ Mar 28, 2023
0395850
add hint
An-DJ Mar 28, 2023
b4332c7
change env var name
An-DJ Mar 29, 2023
c222260
Merge remote-tracking branch 'upstream/master' into allow-none-authen…
An-DJ Mar 29, 2023
8110123
add blank line
An-DJ Mar 29, 2023
d2cde14
add non-true check
An-DJ Mar 29, 2023
73ff74b
change env-config to file-config
An-DJ Mar 29, 2023
427782e
remove useless test
An-DJ Mar 29, 2023
d4bf713
add more test cases
An-DJ Mar 30, 2023
477687e
rewrite comments
An-DJ Mar 30, 2023
805edce
Correcting spelling problems
An-DJ Mar 30, 2023
7665604
correct spell problem
An-DJ Mar 30, 2023
bffbf56
correct warning
An-DJ Apr 4, 2023
3a08b52
correct comments
An-DJ Apr 4, 2023
aa15642
fix test err
An-DJ Apr 6, 2023
18c00b5
fix wrong test case
An-DJ Apr 6, 2023
97a5a8e
add more test cases
An-DJ Apr 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions apisix/admin/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ local reload_event = "/apisix/admin/plugins/reload"
local ipairs = ipairs
local error = error
local type = type
local getenv = os.getenv


local events
Expand Down Expand Up @@ -66,6 +67,12 @@ local router


local function check_token(ctx)
-- check if APISIX_BYPASS_ADMIN_API_AUTH=true
local none_auth = getenv("APISIX_BYPASS_ADMIN_API_AUTH")
moonming marked this conversation as resolved.
Show resolved Hide resolved
if none_auth == "true" then
return true
end

local local_conf = core.config.local_conf()
local admin_key = core.table.try_read_attr(local_conf, "deployment", "admin", "admin_key")
if not admin_key then
Expand Down Expand Up @@ -395,6 +402,14 @@ function _M.init_worker()
events.register(reload_plugins, reload_event, "PUT")

if ngx_worker_id() == 0 then
-- check if APISIX_BYPASS_ADMIN_API_AUTH=true
local none_auth = getenv("APISIX_BYPASS_ADMIN_API_AUTH")
if none_auth == "true" then
core.log.warn("AdminKey is bypassed because of APISIX_BYPASS_ADMIN_API_AUTH=true.",
"If you are deploying APISIX in a production environment,",
"please disable it and set a secure password for the adminKey!")
end

local ok, err = ngx_timer_at(0, function(premature)
if premature then
return
Expand Down
2 changes: 2 additions & 0 deletions apisix/cli/ngx_tpl.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ worker_shutdown_timeout {* worker_shutdown_timeout *};
env APISIX_PROFILE;
env PATH; # for searching external plugin runner's binary

env APISIX_BYPASS_ADMIN_API_AUTH; # bypass admin api auth
moonming marked this conversation as resolved.
Show resolved Hide resolved

# reserved environment variables for configuration
env APISIX_DEPLOYMENT_ETCD_HOST;

Expand Down
9 changes: 9 additions & 0 deletions apisix/cli/ops.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,15 @@ local function init(env)
checked_admin_key = true
end

-- check if APISIX_BYPASS_ADMIN_API_AUTH=true
local allow_none_auth = getenv("APISIX_BYPASS_ADMIN_API_AUTH")
if allow_none_auth == "true" then
checked_admin_key = true
print("Warning! AdminKey is bypassed because of APISIX_BYPASS_ADMIN_API_AUTH=true.",
"If you are deploying APISIX in a production environment,",
"please disable it and set a secure password for the adminKey!")
end

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are there duplicate codes?

Copy link
Contributor Author

@An-DJ An-DJ Mar 29, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean that hint appears in both stdout and log?

  1. opt.lua checks if allow_admin in config.yaml is correct before APISIX starts. We need to bypass the adminKey check here.
  2. init.lua checks the adminKey when accessing the Admin API (after APISIX starts). We need to bypass check_token, too.

That's why I have implemented bypass-logic in two different stage.(before and after the start).

Copy link
Contributor Author

@An-DJ An-DJ Mar 29, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In other words, opt.lua does a static check on the configuration file (if it is not 127.0.0.0/24 and the adminKey is empty, APISIX will not start).

We also have to bypass the checks here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is repeated code, then it needs to be abstracted into a function

if yaml_conf.apisix.enable_admin and not checked_admin_key then
local help = [[

Expand Down
18 changes: 18 additions & 0 deletions t/admin/token.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,3 +177,21 @@ PUT /apisix/admin/plugins/reload?api_key=4054f7cf07e344346cd3f287985e76a2
--- request
GET /apisix/admin/routes??api_key=4054f7cf07e344346cd3f287985e76a2
--- error_code: 401



=== TEST 10: access without api key
--- request
GET /apisix/admin/routes
--- error_code: 401



=== TEST 11: access without api key, but APISIX_BYPASS_ADMIN_API_AUTH=true
--- main_config
env APISIX_BYPASS_ADMIN_API_AUTH=true;
moonming marked this conversation as resolved.
Show resolved Hide resolved
--- request
GET /apisix/admin/routes
--- error_code: 200
--- error_log
AdminKey is bypassed because of APISIX_BYPASS_ADMIN_API_AUTH=true
26 changes: 26 additions & 0 deletions t/cli/test_admin.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,32 @@ fi

echo "pass: missing admin key and only allow 127.0.0.0/24 to access admin api"

# allow any IP to access admin api with empty admin_key, when APISIX_BYPASS_ADMIN_API_AUTH=true

git checkout conf/config.yaml

echo '
deployment:
admin:
admin_key: ~
allow_admin:
- 0.0.0.0/0
' > conf/config.yaml

APISIX_BYPASS_ADMIN_API_AUTH=true make init > output.log 2>&1 | true

if grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
echo "failed: should not show 'ERROR: missing valid Admin API token.'"
exit 1
fi

if ! grep -E "Warning! AdminKey is bypassed" output.log > /dev/null; then
An-DJ marked this conversation as resolved.
Show resolved Hide resolved
echo "failed: should show 'Warning! AdminKey is bypassed'"
exit 1
fi

echo "pass: allow empty admin_key, when APISIX_BYPASS_ADMIN_API_AUTH=true"

# admin api, allow any IP but use default key

echo '
Expand Down