mirrors/dragonfly
1
0
Fork 0
mirror of https://github.com/dragonflydb/dragonfly.git synced 2025-05-11 10:25:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

chore(Http): change authed username to default and skip auth on metrics (#1950)

Browse source 
* Update Http auth with username default instead of user
* skip auth for /metrics page
* add/improve tests
* fix a bug with admin port requiring auth on http even if nopass was set
* update helio ref
* update listener class to contain its respective Role
* fix http init to only include admin and main listener
This commit is contained in:
Kostas Kyrimis 2023-10-03 10:45:37 +03:00 committed by GitHub
parent 38c4e3b588
commit 945d3a39e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 144 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

26
src/server/main_service.cc
View file

@ -82,8 +82,8 @@ ABSL_FLAG(uint32_t, multi_eval_squash_buffer, 4_KB, "Max buffer for squashed com
ABSL_DECLARE_FLAG(bool, primary_port_http_enabled);
ABSL_FLAG(bool, admin_nopass, false,
"If set, would enable open admin access to console on the assigned port, without auth "
"token needed.");
"If set, would enable open admin access to console on the assigned port, without "
"authorization needed.");
ABSL_FLAG(MaxMemoryFlag, maxmemory, MaxMemoryFlag{},
"Limit on maximum-memory that is used by the database. "
@ -823,7 +823,7 @@ std::optional<ErrorReply> Service::VerifyCommandState(const CommandId* cid, CmdA
// If there is no connection owner, it means the command it being called
// from another command or used internally, therefore is always permitted.
if (dfly_cntx.conn() != nullptr && !dfly_cntx.conn()->IsAdmin() && cid->IsRestricted()) {
if (dfly_cntx.conn() != nullptr && !dfly_cntx.conn()->IsPrivileged() && cid->IsRestricted()) {
return ErrorReply{"Cannot execute restricted command (admin only)"};
}
@ -1204,7 +1204,7 @@ ErrorReply Service::ReportUnknownCmd(string_view cmd_name) {
return ErrorReply{StrCat("unknown command `", cmd_name, "`"), "unknown_cmd"};
}
bool RequireAdminAuth() {
bool RequirePrivilegedAuth() {
return !GetFlag(FLAGS_admin_nopass);
}
@ -1212,7 +1212,7 @@ facade::ConnectionContext* Service::CreateContext(util::FiberSocketBase* peer,
facade::Connection* owner) {
ConnectionContext* res = new ConnectionContext{peer, owner};
if (owner->IsAdmin() && !RequireAdminAuth()) {
if (owner->IsPrivileged() && !RequirePrivilegedAuth()) {
res->req_auth = false;
} else {
res->req_auth = !GetPassword().empty();
@ -2070,11 +2070,17 @@ GlobalState Service::GetGlobalState() const {
return global_state_;
}
void Service::ConfigureHttpHandlers(util::HttpListenerBase* base) {
// We set the password for the HTTP service unless it is only enabled on the
// admin port and the admin port is password-less.
if (GetFlag(FLAGS_primary_port_http_enabled) || !GetFlag(FLAGS_admin_nopass)) {
base->SetPassword(GetPassword());
void Service::ConfigureHttpHandlers(util::HttpListenerBase* base, bool is_privileged) {
// We skip authentication on privileged listener if the flag admin_nopass is set
const bool should_skip_auth = is_privileged && !RequirePrivilegedAuth();
if (!should_skip_auth) {
base->SetAuthFunctor([pass = GetPassword()](std::string_view path, std::string_view username,
std::string_view password) {
if (path == "/metrics")
return true;
const bool pass_verified = pass.empty() ? true : password == pass;
return username == "default" && pass_verified;
});
}
server_family_.ConfigureMetrics(base);
base->RegisterCb("/txz", TxTable);