rpc: Support -rpcauthfile argument#20407
Conversation
|
How is this different from includeconf with the rpcauth in it as the only content? |
|
@MarcoFalke I thought about suggesting that but main issue is that Maybe @ruimarinho and @NicolasDorier can weight on the the approach. |
This argument is similar to -rpcauth but takes the value from the specified file content
To be used with -rpcauthfile
promag
force-pushed
the
2020-11-rpcauthfile
branch
from
8a3b62c to
ff5d7fa
Compare
ryanofsky
left a comment
ryanofsky
left a comment
There was a problem hiding this comment.
This seems like a reasonable option to add.
Allowing -includeconf to be specified on the command line would also be reasonable way to help address #20387.
However, both of these approaches seem more cumbersome to use and implement than the -norpccookiegenerate option suggested #20387 (comment).
It seems like that option could be implemented with simple logic like:
bool have_cookie = GetBoolArg("-rpccookiegenerate", true) ? GenerateAuthCookie(&cookie) : GetAuthCookie(&cookie);and unlike the rpcauth value, the cookie value would be automatically picked up by bitcoin-cli client and potentially the electrs client. There wouldn't be a need to generate username, password, and hashed auth strings, pass the hashed auth string to the server, and pass the username and password strings to each client separately. The cookie value could be any random string with no need for hashing at all and placed in a common location where it is available to the server and every client that needs to read it.
| for (std::string rpcauth : gArgs.GetArgs("-rpcauth")) { | ||
| std::vector<std::string> fields; | ||
| boost::split(fields, rpcauth, boost::is_any_of(":$")); | ||
| if (fields.size() == 3) g_rpcauth.push_back(fields); |
There was a problem hiding this comment.
I guess it's a preexisting problem, but lack of any error feedback when the syntax is wrong seems like a usability nightmare
There was a problem hiding this comment.
Yeah it is, can be improved.
There was a problem hiding this comment.
Actually I think I'll do it in this branch, -rpcauth values are now processed once.
There was a problem hiding this comment.
Such an -rpccookiegenerate=false option is what I had in mind in #20387. I would prefer that exactly for the simplicity of using an arbitrary string as cookie (which I can share via Docker's secret mechanism).
There was a problem hiding this comment.
Syntax isn't necessarily wrong. It could be a 4th field added (eg, Knots uses it to restrict access to the named wallet).
A debug log line can't hurt though.
|
Your approach doesn't support multiple credentials. I also see the cookie as a local authentication mechanism. |
|
Kind of meh on adding yet another RPC authentication method that's only a slight variation from the other ones, but as long as it (and all combinatorial options it opens up) are tested sufficiently I'm not strongly against it either. |
|
@laanwj while @ryanofsky approach is indeed simple (just misses the detail of not erasing cookie file on shutdown) it doesn't support different users with different whitelists. Also note that @ryanofsky approach changes cookie semantic - the cookie is available while the daemon is running. I'd even limit cookie authentication to loopback interface.
@ryanofsky executing
@ryanofsky this is not really necessary. Looks like we should just add support for bearer authentication in addition to basic authentication. In this case we could support It just sounds reasonable to me to support different credentials and whitelists and make this easy to setup with docker containers and secrets. |
|
@promag sure, and thanks for implementing this. I just suggested the Also, it's been said a few times that I do agree with you that it would probably make sense to stop allowing cookie authentication from non-local connections by default. I also think the |
|
I'd say the advantage of |
Ok, this can be submitted on a separate branch. |
| std::getline(file, rpcauth); | ||
| std::vector<std::string> fields; | ||
| boost::split(fields, rpcauth, boost::is_any_of(":$")); | ||
| if (fields.size() == 3) g_rpcauth.push_back(fields); |
There was a problem hiding this comment.
In commit "rpc: Support -rpcauthfile argument" (10ef732)
I think this should refuse to load if the rpcauthfile isn't formatted correctly. Logging and error and returning false might be sufficient to do this.
I think an invalid -rpcauth option above should also trigger an error, or at least report an error, but it's pre-existing code so not directly related
There was a problem hiding this comment.
I think this should refuse to load
You mean the process should exit?
There was a problem hiding this comment.
re: #20407 (comment)
I think this should refuse to load
You mean the process should exit?
I would exit, but don't think it would be crazy not to exit, do think it would be crazy to silently ignore a configuration error giving no feedback. I am presuming returning false exits, but didn't check.
There was a problem hiding this comment.
See above, it's not necessarily an error
| if args.output: | ||
| file = open(args.output, "x") | ||
| file.write('{0}:{1}${2}'.format(args.username, salt, password_hmac)) | ||
| print('Your password:\n{0}'.format(args.password)) |
There was a problem hiding this comment.
In commit "rpcauth: Support storing credentials in a file" (ff5d7fa)
Same line is printed in else branch, could dedup.
| print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac)) | ||
| print('Your password:\n{0}'.format(args.password)) | ||
| if args.output: | ||
| file = open(args.output, "x") |
There was a problem hiding this comment.
In commit "rpcauth: Support storing credentials in a file" (ff5d7fa)
Doesn't really matter but
with open(args.output, "x") as file:
file.write(...)Is slightly better style because it ensures that the file is closed immediately after the write.
Also may wish to avoid file variable name and use something like f or fp since file is a builtin function.
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
| print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac)) | ||
| print('Your password:\n{0}'.format(args.password)) | ||
| if args.output: | ||
| file = open(args.output, "x") |
There was a problem hiding this comment.
I was thinking it should fail if the file already exists.
There was a problem hiding this comment.
Then how would you build a file with many lines?
| for (std::string rpcauth : gArgs.GetArgs("-rpcauth")) { | ||
| std::vector<std::string> fields; | ||
| boost::split(fields, rpcauth, boost::is_any_of(":$")); | ||
| if (fields.size() == 3) g_rpcauth.push_back(fields); |
There was a problem hiding this comment.
Syntax isn't necessarily wrong. It could be a 4th field added (eg, Knots uses it to restrict access to the named wallet).
A debug log line can't hurt though.
| std::getline(file, rpcauth); | ||
| std::vector<std::string> fields; | ||
| boost::split(fields, rpcauth, boost::is_any_of(":$")); | ||
| if (fields.size() == 3) g_rpcauth.push_back(fields); |
There was a problem hiding this comment.
See above, it's not necessarily an error
| print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac)) | ||
| print('Your password:\n{0}'.format(args.password)) | ||
| if args.output: | ||
| file = open(args.output, "x") |
There was a problem hiding this comment.
Needs to specify encoding
| file = open(args.output, "x") | |
| file = open(args.output, "x", encoding="utf8") |
| strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", ""); | ||
| } | ||
| if (gArgs.GetArg("-rpcauth","") != "") | ||
| if (gArgs.GetArg("-rpcauth", "") != "" || gArgs.GetArg("-rpcauthfile", "") != "") |
There was a problem hiding this comment.
This breaks the ability to set -rpcauth= to void all prior -rpcauth parameters.
|
🐙 This pull request conflicts with the target branch and needs rebase. Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a "draft". |
There hasn't been much activity lately and the patch still needs rebase. What is the status here?
|
|
This has been in draft for ~ 2 years now. So I'm going to close it. Feel free to comment / ping if you'd like this re-opend. |
|
I'd vote for re-open. The underlying issue that bitcoind is inherently difficult to use with Docker secrets, because it can't read secrets from a file, is still present. See #20387. |
|
There's no point re-opening, if the author isn't working on it. If that's the case, we can mark it up for grabs, and someone else can pick it up (they could also just do that now). |
8 participants
This argument is similar to -rpcauth but takes the value from the specified file content and can be specified from the command line.
Fixes #20387.