/_status/vars is world readable

[korpa]

Describe the problem

Spin up a secure cluster with cli parameters

• --certs-dir=
• --advertise-addr=
• --join=
• --cache=
• --max-sql-memory=

To Reproduce

goto https://[ip]:8080/_status/vars

Expected behavior

• Endpoint is only accessable via authentication like basic-auth
  or
• A cli parameter e.g. --activate-status-vars=true is needed to activate it
  or
• At least a warning on https://www.cockroachlabs.com/docs/stable/security-overview.html that this endpoint is exposed to the world and a http proxy to secure this endpoint is needed.

Additional data / screenshots

Environment:

• CockroachDB version 20.1

Additional context

[blathers-crl]

Hello, I am Blathers. I am here to help you get the issue triaged.

Hoot - a bug! Though bugs are the bane of my existence, rest assured the wretched thing will get the best of care here.

I have CC'd a few people who may be able to assist you:

• @solongordon (found keywords: join)

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.}

[solongordon]

@knz Sending this your way since I know you addressed similar security concerns in v20.1. Was this endpoint ever discussed during that work?

[knz]

Yes it was considered that the information exposed this way was not sensitive.

@korpa FYI there are multiple HTTP endpoints that are similarly world-readable. We always recommend suitable proxying / firewalling for best security.

[korpa]

@knz Ok. Thank you very much.

But then it should be mentioned on https://www.cockroachlabs.com/docs/stable/security-overview.html and maybe on https://www.cockroachlabs.com/docs/stable/recommended-production-settings.html

[knz]

@taroface can you lift this issue into a doc project?

[knz]

Superseded by #50472