This is an automated email from the ASF dual-hosted git repository.
jin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-hugegraph-doc.git
The following commit(s) were added to refs/heads/master by this push:
new 72b37f75 fix: warn user to update or change the default jwt value
(#364)
72b37f75 is described below
commit 72b37f7507422a42b4e9a70671f763c5811353d9
Author: HaoJin Yang <[email protected]>
AuthorDate: Thu Jul 11 15:30:07 2024 +0800
fix: warn user to update or change the default jwt value (#364)
Note: 1.5.0 has not been released yet
---------
Co-authored-by: imbajin <[email protected]>
---
content/cn/docs/config/config-authentication.md | 17 ++++++++++++++++-
content/en/docs/config/config-authentication.md | 14 ++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/content/cn/docs/config/config-authentication.md
b/content/cn/docs/config/config-authentication.md
index beb56cbc..ac50e233 100644
--- a/content/cn/docs/config/config-authentication.md
+++ b/content/cn/docs/config/config-authentication.md
@@ -36,6 +36,21 @@ GET
http://localhost:8080/graphs/hugegraph/schema/vertexlabels
Authorization: Basic admin xxxx
```
+**警告**:在 1.5.0 之前版本的 HugeGraph-Server 在鉴权模式下存在 JWT 相关的安全隐患,请务必使用新版本或自行修改 JWT
token 的 secretKey。
+
+修改方式为在配置文件`rest-server.properties`中重写`auth.token_secret`信息:(1.5.0
后会默认生成随机值则无需配置)
+
+```properties
+auth.token_secret=XXXX #这里为 32 位 String,由 a-z,A-Z 和 0-9 组成
+```
+
+也可以通过下面的命令实现:
+
+```shell
+RANDOM_STRING=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
+echo "auth.token_secret=${RANDOM_STRING}" >> rest-server.properties
+```
+
#### StandardAuthenticator 模式
`StandardAuthenticator`模式是通过在数据库后端存储用户信息来支持用户认证和权限控制,该实现基于数据库存储的用户的名称与密码进行认证(密码已被加密),基于用户的角色来细粒度控制用户权限。下面是具体的配置流程(重启服务生效):
@@ -59,6 +74,7 @@ auth.graph_store=hugegraph
# 如果是分开部署 GraphServer 和 AuthServer,还需要指定下面的配置,地址填写 AuthServer 的 IP:RPC 端口
#auth.remote_url=127.0.0.1:8899,127.0.0.1:8898,127.0.0.1:8897
```
+
其中,`graph_store`配置项是指使用哪一个图来存储用户信息,如果存在多个图的话,选取任意一个均可。
在配置文件`hugegraph{n}.properties`中配置`gremlin.graph`信息:
@@ -73,7 +89,6 @@ gremlin.graph=org.apache.hugegraph.auth.HugeFactoryAuthProxy
如果需要支持更加灵活的用户系统,可自定义 authenticator 进行扩展,自定义 authenticator
实现接口`org.apache.hugegraph.auth.HugeAuthenticator`即可,然后修改配置文件中`authenticator`配置项指向该实现。
-
### 基于鉴权模式启动
在鉴权配置完成后,需在首次执行 `init-store.sh` 时命令行中输入 `admin` 密码 (非 docker 部署模式下)
diff --git a/content/en/docs/config/config-authentication.md
b/content/en/docs/config/config-authentication.md
index 64aed02a..9d4c1822 100644
--- a/content/en/docs/config/config-authentication.md
+++ b/content/en/docs/config/config-authentication.md
@@ -37,6 +37,20 @@ GET
http://localhost:8080/graphs/hugegraph/schema/vertexlabels
Authorization: Basic admin xxxx
```
+**Warning**: Versions of HugeGraph-Server prior to 1.5.0 have a JWT-related
security vulnerability in the Auth mode.
+Users are advised to update to a newer version or manually set the JWT token's
secretKey. It can be set in the `rest-server.properties` file by setting the
`auth.token_secret` information:
+
+```properties
+auth.token_secret=XXXX # should be a 32-chars string, consist of A-Z, a-z
and 0-9
+```
+
+You can also generate it with the following command:
+
+```shell
+RANDOM_STRING=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
+echo "auth.token_secret=${RANDOM_STRING}" >> rest-server.properties
+```
+
#### StandardAuthenticator Mode
The `StandardAuthenticator` mode supports user authentication and permission
control by storing user information in the database backend. This
implementation authenticates users based on their names and passwords
(encrypted) stored in the database and controls user permissions based on their
