You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "moonming (via GitHub)" <gi...@apache.org> on 2023/03/31 09:40:21 UTC

[GitHub] [apisix] moonming commented on a diff in pull request #9147: feat(cli): support bypassing Admin API Auth by configuration

moonming commented on code in PR #9147:
URL: https://github.com/apache/apisix/pull/9147#discussion_r1154250154


##########
apisix/admin/init.lua:
##########
@@ -395,6 +401,13 @@ function _M.init_worker()
     events.register(reload_plugins, reload_event, "PUT")
 
     if ngx_worker_id() == 0 then
+        -- check if admin_key is required
+        if local_conf.deployment.admin.admin_key_required == false then
+            core.log.warn("Admin key is bypassed! ",
+                "If you are deploying APISIX in a production environment, ",
+                "please disable it and set a secure password for the admin Key!")

Review Comment:
   admin key is not password



##########
conf/config-default.yaml:
##########
@@ -588,6 +588,10 @@ deployment:
   role_traditional:
     config_provider: etcd
   admin:
+    # admin_key required or not. Default value is true.
+    # Bypass the Admin API authentication by modifying this value to false if needed.

Review Comment:
   ```suggestion
       # admin API authentication is enabled by default. 
       # Set it false in the production environment will cause a serious security issue.
   ```



##########
apisix/cli/ops.lua:
##########
@@ -189,6 +189,13 @@ local function init(env)
        and #allow_admin == 1 and allow_admin[1] == "127.0.0.0/24" then
         checked_admin_key = true
     end
+    -- check if admin_key is required
+    if yaml_conf.deployment.admin.admin_key_required == false then
+        checked_admin_key = true
+        print("Warning! Admin key is bypassed! "
+                .. "If you are deploying APISIX in a production environment, "
+                .. "please disable it and set a secure password for the admin Key!")
+    end

Review Comment:
   duplicate code



##########
apisix/admin/init.lua:
##########
@@ -395,6 +401,13 @@ function _M.init_worker()
     events.register(reload_plugins, reload_event, "PUT")
 
     if ngx_worker_id() == 0 then
+        -- check if admin_key is required
+        if local_conf.deployment.admin.admin_key_required == false then
+            core.log.warn("Admin key is bypassed! ",
+                "If you are deploying APISIX in a production environment, ",
+                "please disable it and set a secure password for the admin Key!")

Review Comment:
   Please write clearly what configuration to disable



##########
t/admin/api.t:
##########
@@ -156,3 +156,40 @@ X-API-VERSION: v2
 GET /t
 --- response_body
 passed
+
+
+
+=== TEST 10: Access with api key, and admin_key_required=true
+--- yaml_config
+deployment:
+  admin:
+    admin_key_required: true
+--- more_headers
+X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
+--- request
+GET /apisix/admin/routes
+--- error_code: 200
+
+
+
+=== TEST 11: Access without api key, but admin_key_required=true
+--- yaml_config
+deployment:
+  admin:
+    admin_key_required: true
+--- request
+GET /apisix/admin/routes
+--- error_code: 401
+
+
+
+=== TEST 12: Access without api key, but admin_key_required=false

Review Comment:
   no test case for `Access with api key, but admin_key_required=false`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org