[DNM] server: require web login by default in secure mode #24944
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Release note: None
|
This change is |
vilterp
changed the title
This was referenced Apr 23, 2018
|
Superseded by #25057 |
craig bot
pushed a commit
that referenced
this pull request
Apr 26, 2018
25057: server: require web login if an env var is set r=vilterp a=vilterp This PR introduces the temporary environment variable `COCKROACH_REQUIRE_LOGIN` to enable testing login functionality before a fully functional login/logout UI is merged. Supersedes #24944, which hardcoded this. Once we have a functional login/logout UI, we will probably hardcode this variable to true, so that login will always be required when the cluster is in secure mode. Before this change: - Admin server endpoints don't care whether there is a logged-in user or not, even in secure mode; they always run as the root user (#8767) - There is no way to log in — the `/_auth/v1/login` endpoint 404s After this change: - secure mode - with env var `COCKROACH_REQUIRE_LOGIN=true`: - Admin server endpoints require _some user_ to be logged in, although they still run queries (e.g. against `crdb_internal`) as the root user. - `/_auth/v1/login` is exposed, allowing clients such as the admin UI to log in. - else: - no auth (same as before) - insecure mode - no auth (same as before) Co-authored-by: Pete Vilter <[email protected]>
craig bot
pushed a commit
that referenced
this pull request
May 16, 2018
24945: server: exempt healthcheck endpoint from authentication check r=couchand a=vilterp Otherwise, you get the red "connection lost" banner until you log in. This will have no effect until the auth mux is put on the request path (#24944). Fixes #24942 25581: storage: fix use of context with closed trace r=a-robinson a=a-robinson Fixes #25575 Release note: None Co-authored-by: Pete Vilter <[email protected]> Co-authored-by: Alex Robinson <[email protected]>
craig bot
pushed a commit
that referenced
this pull request
May 22, 2018
25005: ui: add top-level LoginContainer: require login before rendering anything r=couchand a=vilterp Depends on #25057 Touches #24939  Shown above: 1. go to admin UI; see login screen 2. error message when you type in the wrong password 3. you can't hit an authenticated endpoint because you don't have a valid session (this checking is turned on by #24944, only in secure mode) 4. once you login with the right password, you can see the UI (the temporary "connection lost" banner shouldn't be there) 5. now you (and the UI itself) can hit endpoints, because you have a valid session Todos: - [ ] redirect to login page instead of current wrapper component switching thing - [ ] logout - [ ] logout button (make API call; redirect to login & blow away redux store) - [ ] log out other tabs (if they get a 403, redirect to login & blow away redux store) - [ ] styling Release note: None 25628: distsql: support lookup join on secondary index r=solongordon a=solongordon joinReader now supports lookup joins on secondary indexes. This was a trivial change for queries where all the output columns are included in the secondary index. I just modified the physical planner to specify the secondary index in the JoinReaderSpec and removed checks which prevented secondary indexes from being used. The more complicated situation is when we want to do a lookup join against a non-covering index. In this case, the logical planner plans an index join before the inner join, but we want to perform the lookup join first. We now handle this by only planning the lookup join during physical planning, not the index join. During execution, the joinReader detects that there are output columns not covered by the secondary index, and it performs primary index lookups as necessary to retrieve the additional columns. Fixes #25431 Co-authored-by: Pete Vilter <[email protected]> Co-authored-by: Andrew Couch <[email protected]> Co-authored-by: Solon Gordon <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: this change or something like it is required for web login to work, but shouldn't be merged before a UI login screen exists.
Before this change:
/_auth/v1/loginendpoint 404sAfter this change:
crdb_internal) as the root user./_auth/v1/loginis exposed, allowing clients such as the admin UI to log in.UX note: some users might want a cluster which is in secure mode but doesn't require web login. To support that, we'd need to introduce a new cluster setting, e.g.
disable_web_login. do not merge this until we've made that decision.Implementation note: Flipping this boolean causes the authentication mux to be installed on the server when in secure mode, which (a) handles the login endpoint and (b) checks requests to the admin and status servers for a valid session. Here's where it's installed:
cockroach/pkg/server/server.go
Lines 1181 to 1184 in 75d44eb