You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/09/17 07:24:56 UTC

[GitHub] [apisix] moonming commented on a change in pull request #2244: bugfix(CLI): if the user used default token and allow any IP to acces…

moonming commented on a change in pull request #2244:
URL: https://github.com/apache/apisix/pull/2244#discussion_r490026730



##########
File path: conf/config.yaml
##########
@@ -21,3 +21,9 @@
 #     host:
 #       - "http://127.0.0.1:2379"
 #
+apisix:
+  admin_key:
+    -
+      name: "admin"
+      key: edd1c9f034335f136f87ad84b625c8f1 # please update the default token for safe

Review comment:
       `using fixed API token has security risk, please update it when you deploy to production environment`

##########
File path: bin/apisix
##########
@@ -812,6 +814,51 @@ local function init()
     end
     -- print("etcd: ", yaml_conf.etcd.host)
 
+    -- check the Admin API token
+    if yaml_conf.apisix.enable_admin and yaml_conf.apisix.allow_admin then
+        for _, allow_ip in ipairs(yaml_conf.apisix.allow_admin) do
+            if allow_ip == "127.0.0.0/24" then
+                is_checked_admin_key = true
+            end
+        end
+    end
+
+    if yaml_conf.apisix.enable_admin and not is_checked_admin_key then
+        is_checked_admin_key = true
+        local help = [[
+
+%s
+Please set a new Admin API key and store it in the `conf/config.yaml` file.
+
+]]
+        if type(yaml_conf.apisix.admin_key) ~= "table" or
+           #yaml_conf.apisix.admin_key == 0
+        then
+            io.stderr:write(help:format("ERROR: missing valid Admin API Key"))
+            os.exit(1)
+        end
+
+        for _, admin in ipairs(yaml_conf.apisix.admin_key) do
+            if type(admin.key) == "table" then
+                admin.key = ""
+            else
+                admin.key = tostring(admin.key)
+            end
+
+            if admin.key == "" then
+                io.stderr:write(help:format("ERROR: missing valid Admin API Key"), "\n")
+                os.exit(1)
+            end
+
+            if admin.key == "edd1c9f034335f136f87ad84b625c8f1" then
+                io.stderr:write(
+                    help:format("WARNING: using the default Key is very dangerous."),

Review comment:
       `using the default Key is very dangerous.` -> `using fixed API token has security risk, please modify "admin_key" in conf/config.yaml`




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org