Add read-only security_policy to block admin HTTP endpoints. #5321
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, the only built-in policies available were effectively
"allow all" and "deny all". Anything else required writing a custom
plugin.
This adds a new built-in policy called
read-only
that does NOT do anyauthentication, but allows anyone to query HTTP endpoints designated as
requiring the DEBUGGING or MONITORING roles, while denying everyone
access to ADMIN endpoints.
The default when no policy is specified remains "allow all".
The fallback policy remains "deny all" when an unknown, non-empty
policy name is requested. In addition, you can now explicitly request
the
deny-all
policy without having to engage fallback by providing aninvalid policy name.
Note that security_policy only applies to HTTP endpoints. It does NOT
affect gRPC calls, nor SQL queries. Also, the security_policy flag
must be set individually on every process (e.g. vttablet, vtgate, vtctld)
and only applies to endpoints served directly by that one process.
Signed-off-by: Anthony Yeh enisoc@planetscale.com