server: unauthenticated http requests running as root by default? #45018
Labels
A-authentication
Pertains to authn subsystems
A-security
A-server-architecture
Relates to the internal APIs and src org for server code
C-investigation
Further steps needed to qualify. C-label will change.
T-server-and-security
DB Server & Security
Comments
andreimatei
added
the
C-investigation
Nvm, same on secure. But |
|
thanks for finding this out. Will look into it. |
|
Found it: the alias Let's close this issue and discuss further there. |
|
discussed with andrei: non-auth requests should not report they are runnign as root |
knz
added
A-server-architecture
|
We've clarified the mechanics that motivate the current behavior in this tech note: #96427. The code should still be changed/improved, but at least this way we know where we are starting from. |
craig bot
pushed a commit
that referenced
this issue
Feb 3, 2023
96451: server: only forward the SQL identity in gRPC metadata r=andreimatei a=knz Requested by `@andreimatei` . Informs #96427. Informs #45018. Prior to this patch, we were forwarding any and all gRPC metdata during a RPC fanout. This was creating doubt and confusion, about how much data is really important/useful to forward. Analysis suggests we only care about the SQL user identity resulting from HTTP authentication. So this patch limits the forwarding to just that information. This specialization makes the forwarding logic easier to understand. This patch additionally renames functions as follows: | Old name | New name | |---------------------------------|---------------------------------------| | `userFromContext` | `userFromIncomingRPCContext` | | `getSQLUsername` | `userFromHTTPAuthInfoContext` | | `apiToOutgoingGatewayCtx` | `forwardHTTPAuthInfoToRPCCalls` | | `forwardAuthenticationMetadata` | `translateHTTPAuthInfoToGRPCMetadata` | | `propagateGatewayMetadata` | `forwardSQLIdentityThroughRPCCalls` | Release note: None Epic: None Co-authored-by: Raphael 'kena' Poss <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was looking into the
/healthendpoint requiring authentication since recently, and wondering how come I still seem able to access it from my browser.It turns out it's because of this code that says that if there's an "incoming context" with metadata but no user, then the user is
rootby default because it must be " a gRPC / internal SQL connection which has root on the cluster" - which is not true; I'm doing an https request from outside the cluster.This happens to save us for the
/healthrequest, which doesn't actually want authentication, but is it good for all other endpoints?I've tested this on an
--insecurecluster. Perhaps that plays a role?Jira issue: CRDB-5180
The text was updated successfully, but these errors were encountered: