Agree with this enhancement. Ming Wen <wenm...@apache.org> 于2022年1月26日周三 14:19写道:
> > I think it is a security issue. > You should discuss it on the private mailing list if you think it's a > security issue > > Thanks, > Ming Wen, Apache APISIX PMC Chair > Twitter: _WenMing > > > YuanSheng Wang <membp...@apache.org> 于2022年1月26日周三 12:53写道: > > > hi: > > > > We are trying to fix this issue. and we need to confirm one more thing: > > > > Do we need to release a new version of APISIX? > > > > Here is the list: > > 1. master branch > > 2. `2.12`: the latest version of APISIX > > 3. `2.10`: the LTS version of APISIX > > > > I think it is a security issue. If your answer is YES too, then we need > to > > fix them all. > > > > What is your opinion? > > > > > > On Wed, Jan 26, 2022 at 11:52 AM Chao Zhang <zchao1...@gmail.com> wrote: > > > > > What about preventing APISIX from starting if the admin token is > > > absent, and only allow running if user run APISIX with the flag > > > `--allow-empty-admin-token` or whatever anything else. > > > > > > Best regards > > > Chao Zhang > > > > > > https://github.com/tokers > > > > > > > > > On Tue, Jan 25, 2022 at 4:28 PM Ming Wen <wenm...@apache.org> wrote: > > > > > > > > hello, > > > > Apache APISIX has the fixed token of admin API in the > configuration > > > > file[1]. > > > > While we strongly recommend that users change this token, this > is a > > > > security risk anyway. We should use a more elegant solution to > actively > > > > solve this problem. > > > > > > > > My solution is: > > > > 1. Remove these fixed tokens and change the default value to > empty > > > > 2. When Apache APISIX starts, if the token is found to be empty, > it > > > > will automatically generate a random token, and print the hint > > > information > > > > on the screen and in the log: random token is only applicable to the > > test > > > > environment, please use a custom token in the generation environment > > and > > > > write into the configuration file. > > > > 3. The admin API does not accept the empty token. > > > > > > > > In this way, it will not affect the previous version, nor will it > > > > affect the developer's experience of Apache APISIX, and enhance the > > > > security. > > > > > > > > What do you think? > > > > > > > > > > > > [1] > > > > > > > > > > https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L87-L100 > > > > > > > > Thanks, > > > > Ming Wen, Apache APISIX PMC Chair > > > > Twitter: _WenMing > > > > > > > > > -- > > > > *MembPhis* > > My GitHub: https://github.com/membphis > > Apache APISIX: https://github.com/apache/apisix > > >
