server: disable security on /api/v2/ when running insecure #86417
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change is |
knz
approved these changes
Aug 18, 2022
pkg/server/api_v2_auth.go
Outdated
| } | ||
|
|
||
| return username, sessionCookie, nil | ||
| return username, sessionCookie, 200, nil |
Previously, the session validation log in `/api/v2/` would still run even when the cluster was running in "insecure" mode. This made it cumbersome to test new features while developing, and also caused new challenges when developing DB Console features that use `/api/v2/` endpoints. Now, when the cluster has the insecure flag set to true, web session check failures won't cause failures on endpoints and the session username will be set to "root" automatically in the context. Release note (security update): HTTP API endpoints under the `/api/v2/` prefix, will allow requests through when the cluster is running in "insecure" mode. When the cluster is running in "insecure" mode requests to these endpoints will have the username set to "root". Release justification: low-risk high-benefit change to existing functionality.
dhartunian
force-pushed
the
api-v2-insecure-cookie-support
branch
from
c9e7d1d
to
109aac2
Compare
dhartunian
commented
Aug 18, 2022
There was a problem hiding this comment.
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @knz and @xinhaoz)
pkg/server/api_v2_auth.go line 351 at r1 (raw file):
Previously, knz (kena) wrote…
http.StatusOK?
Done.
|
TFTR bors r=knz |
|
Build succeeded: |
|
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error creating merge commit from 109aac2 to blathers/backport-release-22.1-86417: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 22.1.x failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, the session validation log in
/api/v2/would still run even whenthe cluster was running in "insecure" mode. This made it cumbersome to test new
features while developing, and also caused new challenges when developing DB
Console features that use
/api/v2/endpoints.Now, when the cluster has the insecure flag set to true, web session check
failures won't cause failures on endpoints and the session username will be set
to "root" automatically in the context.
Release note (security update): HTTP API endpoints under the
/api/v2/prefix,will allow requests through when the cluster is running in "insecure" mode.
When the cluster is running in "insecure" mode requests to these endpoints will
have the username set to "root".
Release justification: low-risk high-benefit change to existing functionality.