Regarding setting the admin token to empty, I think it would be more
flexible to replace with an environment variable. Users can modify the
admin token through system environment variables. If the environment
variable is not read. At this point, APISIX will generate a random token
for it and prompt
Hi,
> only allow running if user run APISIX with the flag
> > `--allow-empty-admin-token` or whatever anything else.
> >
> I wonder what the use case for this would be. If the user wants to run "in
> production", they should provide the token themselves. On the other hand,
> if the user wants a q
Hello,
I'm a newcomer to APISIX, so please forgive my potential
misunderstanding(s).
I've two comments:
only allow running if user run APISIX with the flag
> `--allow-empty-admin-token` or whatever anything else.
>
I wonder what the use case for this would be. If the user wants to run "in
produ
Agree with this enhancement.
Ming Wen 于2022年1月26日周三 14:19写道:
> > I think it is a security issue.
> You should discuss it on the private mailing list if you think it's a
> security issue
>
> Thanks,
> Ming Wen, Apache APISIX PMC Chair
> Twitter: _WenMing
>
>
> YuanSheng Wang 于2022年1月26日周三 12:53写
> I think it is a security issue.
You should discuss it on the private mailing list if you think it's a
security issue
Thanks,
Ming Wen, Apache APISIX PMC Chair
Twitter: _WenMing
YuanSheng Wang 于2022年1月26日周三 12:53写道:
> hi:
>
> We are trying to fix this issue. and we need to confirm one more th
hi:
We are trying to fix this issue. and we need to confirm one more thing:
Do we need to release a new version of APISIX?
Here is the list:
1. master branch
2. `2.12`: the latest version of APISIX
3. `2.10`: the LTS version of APISIX
I think it is a security issue. If your answer is YES too, t
What about preventing APISIX from starting if the admin token is
absent, and only allow running if user run APISIX with the flag
`--allow-empty-admin-token` or whatever anything else.
Best regards
Chao Zhang
https://github.com/tokers
On Tue, Jan 25, 2022 at 4:28 PM Ming Wen wrote:
>
> hello,
>
Agree, Or we can only accept a fixed token when `apisix.enable_dev_mode = true`,
which needs to be enabled manually. Otherwise, we should generate a new token
instead.
Leslie Tsang
leslie.ts...@icloud.com
> On 26 Jan 2022, at 11:06 AM, Zeping Bai wrote:
>
> Agree to a scheme that removes fixe
some additional ideas for this solution:
1. If the user is still using the previous fixed token, we should print
a warning or error level log to hint the user to replace
2. If a user deploys a new node based on an APISIX cluster, two admin
API tokens may appear. We should give obvious hints
Agree to a scheme that removes fixed tokens and generates random tokens at
startup.
Best regards!
Zeping Bai @bzp2010
Ming Wen 于2022年1月25日周二 16:28写道:
> hello,
> Apache APISIX has the fixed token of admin API in the configuration
> file[1].
> While we strongly recommend that users chang
I agree with you
Yong Qian 于2022年1月26日周三 10:57写道:
> Agree with this improvement, the default fixed token poses a significant
> security risk.
>
> On 1/26/22 10:08, JinChao Shuai wrote:
> > I think the solution is feasible and can greatly improve the security of
> > APISIX.
> >
> > Baoyuan 于2022
Agree with this improvement, the default fixed token poses a significant
security risk.
On 1/26/22 10:08, JinChao Shuai wrote:
I think the solution is feasible and can greatly improve the security of
APISIX.
Baoyuan 于2022年1月25日周二 21:25写道:
Strongly agree that this can greatly reduce the secu
I think the solution is feasible and can greatly improve the security of
APISIX.
Baoyuan 于2022年1月25日周二 21:25写道:
> Strongly agree that this can greatly reduce the security risk of APISIX.
>
> > please use a custom token in the generation environment and
> write into the configuration file.
>
> Do
Strongly agree that this can greatly reduce the security risk of APISIX.
> please use a custom token in the generation environment and
write into the configuration file.
Do we need to provide this function to help users do it?
Ming Wen 于2022年1月25日周二 16:28写道:
> hello,
> Apache APISIX has th
hello,
Apache APISIX has the fixed token of admin API in the configuration
file[1].
While we strongly recommend that users change this token, this is a
security risk anyway. We should use a more elegant solution to actively
solve this problem.
My solution is:
1. Remove these fixed
15 matches
Mail list logo
