You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/03/28 10:23:27 UTC

[GitHub] [apisix] starsz opened a new issue #6735: feat: As a user, I want to start Apache APISIX with a etcd user (who only have read permission of etcd), so that we can improve the security and avoid changing the etcd in DP side

starsz opened a new issue #6735:
URL: https://github.com/apache/apisix/issues/6735


   ### Description
   
   Hello,  I config the Apache APISIX with a user (who only has read permission of `/apisix/`), and when I start Apache APISIX.
   I meet this problem: 
   ```
   got malformed key-put message: "{"error":"etcdserver: permission denied","code":7,"message":"etcdserver: permission denied"}" from etcd "http://127.0.0.1:2379/v3/kv/put
   ```
   
   The code is as follow:
   https://github.com/apache/apisix/blob/55eb58ab85ac7e108de36271fd9cf29fe2fa3324/apisix/cli/etcd.lua#L310-L365
   
   I think we can avoid adding the `init_dir` if the directory exists.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6735: feat: As a user, I want to start Apache APISIX with a etcd user (who only have read permission of etcd), so that we can improve the security and avoid changing the etcd in DP side

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on issue #6735:
URL: https://github.com/apache/apisix/issues/6735#issuecomment-1081311035


   Here are some examples of DP writing data in etcd:
   
   1. `request-id `plugin:https://github.com/apache/apisix/blob/542569091d4b6a40b9d560c4fe76077ee9dba087/apisix/plugins/request-id.lua#L93
   2. `server-info` plugin: https://github.com/apache/apisix/blob/542569091d4b6a40b9d560c4fe76077ee9dba087/apisix/plugins/server-info.lua#L128
   
   welcome to add.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] shuaijinchao commented on issue #6735: feat: As a user, I want to start Apache APISIX with a etcd user (who only have read permission of etcd), so that we can improve the security and avoid changing the etcd in DP side

Posted by GitBox <gi...@apache.org>.

shuaijinchao commented on issue #6735:
URL: https://github.com/apache/apisix/issues/6735#issuecomment-1081316584


   I think DP should only have read-only operations, but this should be at the framework level. Plugins are generally custom and can be left to the user for decision-making.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] starsz commented on issue #6735: feat: As a user, I want to start Apache APISIX with a etcd user (who only have read permission of etcd), so that we can improve the security and avoid changing the etcd in DP side

Posted by GitBox <gi...@apache.org>.

starsz commented on issue #6735:
URL: https://github.com/apache/apisix/issues/6735#issuecomment-1084179440


   > Here are some examples of DP writing data in etcd:
   > 
   > 1. `request-id `plugin:https://github.com/apache/apisix/blob/542569091d4b6a40b9d560c4fe76077ee9dba087/apisix/plugins/request-id.lua#L93
   > 2. `server-info` plugin: https://github.com/apache/apisix/blob/542569091d4b6a40b9d560c4fe76077ee9dba087/apisix/plugins/server-info.lua#L128
   > 
   > welcome to add.
   
   So if I want to config the user with read-only operation, I shouldn't use these plugins.
   
   And I think we should also skip adding the init_dir if the directory exists.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #6735: feat: As a user, I want to start Apache APISIX with a etcd user (who only have read permission of etcd), so that we can improve the security and avoid changing the etcd in DP side

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on issue #6735:
URL: https://github.com/apache/apisix/issues/6735#issuecomment-1084640213


   > So if I want to config the user with read-only operation, I shouldn't use these plugins.
   > 
   > And I think we should also skip adding the init_dir if the directory exists.
   
   yes, we can add configuration to control skipping the `init_etcd` step.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org