Regarding setting the admin token to empty, I think it would be more flexible to replace with an environment variable. Users can modify the admin token through system environment variables. If the environment variable is not read. At this point, APISIX will generate a random token for it and prompt it on standard output and logs.
Chao Zhang <zchao1...@gmail.com> 于2022年1月26日周三 16:32写道: > Hi, > > > only allow running if user run APISIX with the flag > > > `--allow-empty-admin-token` or whatever anything else. > > > > > > I wonder what the use case for this would be. If the user wants to run > "in > > production", they should provide the token themselves. On the other hand, > > if the user wants a quick try, they can always run it, and APISIX will > > generate the token. If they don't know about the flag, then it won't help > > them. It's helpful only if the flag is the default, which is a security > > issue and what we want to avoid in the first place. > > Fair enough. > > > and write into the configuration file. > > > > > > > I don't know much about how APISIX works, but it means the process needs > to > > have write permission on the file. While read permission is required, I > > don't know if the process can already write. Imagine a scenario where the > > APISIX process has been compromised by a malicious actor. They could > write > > their own security token and keep their privileges across restarts. > > Agree, writing back to the file might suffer from the permission > problems, such as people deploy Apache APISIX on Kubernetes, and mount > the config.yaml through ConfigMap, if the permission is read only, > Apache APISIX cannot write it. > > Hashicorp Vault also requires the token to access the vault cluster, > one can use the environment variable "VAULT_TOKEN" to specify it, > personally, I think using env will be better to write it back to the > configuration file, what's more, rendering the configuration file in > Apache APISIX is supported, the value of admin token can be set to the > template variable which refers to the env, and we can generate / > regenerate admin token through the APISIX cli. > > Best regards > Chao Zhang > > https://github.com/tokers > > On Wed, Jan 26, 2022 at 4:21 PM Nicolas Frankel <nico...@api7.ai> wrote: > > > > Hello, > > > > I'm a newcomer to APISIX, so please forgive my potential > > misunderstanding(s). > > > > I've two comments: > > > > only allow running if user run APISIX with the flag > > > `--allow-empty-admin-token` or whatever anything else. > > > > > > > I wonder what the use case for this would be. If the user wants to run > "in > > production", they should provide the token themselves. On the other hand, > > if the user wants a quick try, they can always run it, and APISIX will > > generate the token. If they don't know about the flag, then it won't help > > them. It's helpful only if the flag is the default, which is a security > > issue and what we want to avoid in the first place. > > > > and write into the configuration file. > > > > > > > I don't know much about how APISIX works, but it means the process needs > to > > have write permission on the file. While read permission is required, I > > don't know if the process can already write. Imagine a scenario where the > > APISIX process has been compromised by a malicious actor. They could > write > > their own security token and keep their privileges across restarts. > > > > On Wed, Jan 26, 2022 at 8:53 AM Bozhong Yu <imbozh...@gmail.com> wrote: > > > > > Agree with this enhancement. > > > > > > Ming Wen <wenm...@apache.org> 于2022年1月26日周三 14:19写道: > > > > > > > > I think it is a security issue. > > > > You should discuss it on the private mailing list if you think it's a > > > > security issue > > > > > > > > Thanks, > > > > Ming Wen, Apache APISIX PMC Chair > > > > Twitter: _WenMing > > > > > > > > > > > > YuanSheng Wang <membp...@apache.org> 于2022年1月26日周三 12:53写道: > > > > > > > > > hi: > > > > > > > > > > We are trying to fix this issue. and we need to confirm one more > thing: > > > > > > > > > > Do we need to release a new version of APISIX? > > > > > > > > > > Here is the list: > > > > > 1. master branch > > > > > 2. `2.12`: the latest version of APISIX > > > > > 3. `2.10`: the LTS version of APISIX > > > > > > > > > > I think it is a security issue. If your answer is YES too, then we > need > > > > to > > > > > fix them all. > > > > > > > > > > What is your opinion? > > > > > > > > > > > > > > > On Wed, Jan 26, 2022 at 11:52 AM Chao Zhang <zchao1...@gmail.com> > > > wrote: > > > > > > > > > > > What about preventing APISIX from starting if the admin token is > > > > > > absent, and only allow running if user run APISIX with the flag > > > > > > `--allow-empty-admin-token` or whatever anything else. > > > > > > > > > > > > Best regards > > > > > > Chao Zhang > > > > > > > > > > > > https://github.com/tokers > > > > > > > > > > > > > > > > > > On Tue, Jan 25, 2022 at 4:28 PM Ming Wen <wenm...@apache.org> > wrote: > > > > > > > > > > > > > > hello, > > > > > > > Apache APISIX has the fixed token of admin API in the > > > > configuration > > > > > > > file[1]. > > > > > > > While we strongly recommend that users change this token, > this > > > > is a > > > > > > > security risk anyway. We should use a more elegant solution to > > > > actively > > > > > > > solve this problem. > > > > > > > > > > > > > > My solution is: > > > > > > > 1. Remove these fixed tokens and change the default value > to > > > > empty > > > > > > > 2. When Apache APISIX starts, if the token is found to be > > > empty, > > > > it > > > > > > > will automatically generate a random token, and print the hint > > > > > > information > > > > > > > on the screen and in the log: random token is only applicable > to > > > the > > > > > test > > > > > > > environment, please use a custom token in the generation > > > environment > > > > > and > > > > > > > write into the configuration file. > > > > > > > 3. The admin API does not accept the empty token. > > > > > > > > > > > > > > In this way, it will not affect the previous version, nor > will > > > it > > > > > > > affect the developer's experience of Apache APISIX, and > enhance the > > > > > > > security. > > > > > > > > > > > > > > What do you think? > > > > > > > > > > > > > > > > > > > > > [1] > > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L87-L100 > > > > > > > > > > > > > > Thanks, > > > > > > > Ming Wen, Apache APISIX PMC Chair > > > > > > > Twitter: _WenMing > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > *MembPhis* > > > > > My GitHub: https://github.com/membphis > > > > > Apache APISIX: https://github.com/apache/apisix > > > > > > > > > > > > > -- Thanks, Janko
