Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cli): support bypassing Admin API Auth by configuration #9147

Merged
merged 21 commits into from
Apr 10, 2023
Merged

feat(cli): support bypassing Admin API Auth by configuration #9147

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
ad5e732
feat(cli): support APISIX_ALLOW_NONE_AUTHENTICATION
An-DJ Mar 22, 2023
48c4941
fix wrong test
An-DJ Mar 23, 2023
88c7830
fix wrong test
An-DJ Mar 23, 2023
8089d47
fix wrong test config
An-DJ Mar 24, 2023
2111f54
bypass the auth if APISIX_ALLOW_NONE_AUTHENTICATION=true
An-DJ Mar 28, 2023
0395850
add hint
An-DJ Mar 28, 2023
b4332c7
change env var name
An-DJ Mar 29, 2023
c222260
Merge remote-tracking branch 'upstream/master' into allow-none-authen…
An-DJ Mar 29, 2023
8110123
add blank line
An-DJ Mar 29, 2023
d2cde14
add non-true check
An-DJ Mar 29, 2023
73ff74b
change env-config to file-config
An-DJ Mar 29, 2023
427782e
remove useless test
An-DJ Mar 29, 2023
d4bf713
add more test cases
An-DJ Mar 30, 2023
477687e
rewrite comments
An-DJ Mar 30, 2023
805edce
Correcting spelling problems
An-DJ Mar 30, 2023
7665604
correct spell problem
An-DJ Mar 30, 2023
bffbf56
correct warning
An-DJ Apr 4, 2023
3a08b52
correct comments
An-DJ Apr 4, 2023
aa15642
fix test err
An-DJ Apr 6, 2023
18c00b5
fix wrong test case
An-DJ Apr 6, 2023
97a5a8e
add more test cases
An-DJ Apr 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions apisix/admin/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,12 @@ local router

local function check_token(ctx)
local local_conf = core.config.local_conf()

-- check if admin_key is required
if local_conf.deployment.admin.admin_key_required == false then
return true
end

local admin_key = core.table.try_read_attr(local_conf, "deployment", "admin", "admin_key")
if not admin_key then
return true
Expand Down Expand Up @@ -395,6 +401,13 @@ function _M.init_worker()
events.register(reload_plugins, reload_event, "PUT")

if ngx_worker_id() == 0 then
-- check if admin_key is required
if local_conf.deployment.admin.admin_key_required == false then
core.log.warn("Admin key is bypassed! ",
"If you are deploying APISIX in a production environment, ",
"please disable `admin_key_required` and set a secure admin key!")
end

local ok, err = ngx_timer_at(0, function(premature)
if premature then
return
Expand Down
7 changes: 7 additions & 0 deletions apisix/cli/ops.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,13 @@ local function init(env)
and #allow_admin == 1 and allow_admin[1] == "127.0.0.0/24" then
checked_admin_key = true
end
-- check if admin_key is required
monkeyDluffy6017 marked this conversation as resolved.
Show resolved Hide resolved
if yaml_conf.deployment.admin.admin_key_required == false then
checked_admin_key = true
print("Warning! Admin key is bypassed! "
.. "If you are deploying APISIX in a production environment, "
.. "please disable `admin_key_required` and set a secure admin key!")
end

if yaml_conf.apisix.enable_admin and not checked_admin_key then
local help = [[
Expand Down
3 changes: 3 additions & 0 deletions apisix/cli/schema.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,6 +353,9 @@ local admin_schema = {
https_admin = {
type = "boolean",
},
admin_key_required = {
type = "boolean",
},
}
}

Expand Down
4 changes: 4 additions & 0 deletions conf/config-default.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -588,6 +588,10 @@ deployment:
role_traditional:
config_provider: etcd
admin:
# Admin API authentication is enabled by default.
# Set it false in the production environment will cause a serious security issue.
# admin_key_required: true

# Default token when use API to call for Admin API.
# *NOTE*: Highly recommended to modify this value to protect APISIX's Admin API.
# Disabling this configuration item means that the Admin API does not
Expand Down
48 changes: 48 additions & 0 deletions t/admin/api.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,3 +156,51 @@ X-API-VERSION: v2
GET /t
--- response_body
passed



=== TEST 10: Access with api key, and admin_key_required=true
--- yaml_config
deployment:
admin:
admin_key_required: true
--- more_headers
X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
--- request
GET /apisix/admin/routes
--- error_code: 200



=== TEST 11: Access without api key, but admin_key_required=true
--- yaml_config
deployment:
admin:
admin_key_required: true
--- request
GET /apisix/admin/routes
--- error_code: 401



=== TEST 12: Access without api key, but admin_key_required=true
--- yaml_config
deployment:
admin:
admin_key_required: true
--- request
GET /apisix/admin/routes
--- error_code: 200



=== TEST 13: Access without api key, but admin_key_required=false
--- yaml_config
deployment:
admin:
admin_key_required: false
--- request
GET /apisix/admin/routes
--- error_code: 200
--- error_log
Admin key is bypassed!
56 changes: 56 additions & 0 deletions t/cli/test_admin.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,62 @@ fi

echo "pass: missing admin key and only allow 127.0.0.0/24 to access admin api"

# allow any IP to access admin api with empty admin_key, when admin_key_required=true

git checkout conf/config.yaml

echo '
deployment:
admin:
admin_key_required: true
monkeyDluffy6017 marked this conversation as resolved.
Show resolved Hide resolved
admin_key: ~
allow_admin:
- 0.0.0.0/0
' > conf/config.yaml

make init > output.log 2>&1 | true

if ! grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
echo "failed: should show 'ERROR: missing valid Admin API token.'"
exit 1
fi

echo '
deployment:
admin:
admin_key_required: false
admin_key: ~
allow_admin:
- 0.0.0.0/0
' > conf/config.yaml

make init > output.log 2>&1 | true

if grep -E "ERROR: missing valid Admin API token." output.log > /dev/null; then
echo "failed: should not show 'ERROR: missing valid Admin API token.'"
exit 1
fi

if ! grep -E "Warning! Admin key is bypassed" output.log > /dev/null; then
echo "failed: should show 'Warning! Admin key is bypassed'"
exit 1
fi

echo '
deployment:
admin:
admin_key_required: invalid-value
' > conf/config.yaml

make init > output.log 2>&1 | true

if grep -E "path[deployment->admin->admin_key_required] expect: boolean, but got: string" output.log > /dev/null; then
echo "check admin_key_required value failed: should show 'expect: boolean, but got: string'"
exit 1
fi

echo "pass: allow empty admin_key, when admin_key_required=false"

# admin api, allow any IP but use default key

echo '
Expand Down