JSON from private host addresses #4193
Comments
|
We recently had this discussion already: https://discuss.redash.io/t/error-running-query-cant-query-private-addresses/4568/. Copying my reply over here for simplicity:
This is to avoid people using the JSON data source to access information they are not supposed to, like AWS metadata API.
Happy to accept a PR that makes this behavior configurable with an environment variable. Just note that if you disable this check, you need to trust whoever you allow running queries in your system. |
|
Update 2019-11-21: environment variable is simpler and easier to understand |
|
This makes zero sense to me. A product designed to monitor private infrastructure can't monitor private infrastructure? I don't think it's up to redash to arbitrarily to decide what's allowed to be monitored or not. To address the security concerts:
If the a user can access and create queries on redash then surely they can also just make random Please rethink this, "security" should not trump usability and as OP said, if you can query postgres et al then why not json as well? |
We can have proper documentation around it. But the other option you suggested is fine as well. No need for env var, just have it in a separate file and we won't enable it by default. The implementation can definitely be shared between the two -- just add the needed configuration in the JSON one, and subclass it for the second. |
|
@kneufeld, I'm not sure we see the definition of Redash the same way. Also the solutions you suggested don't address the security issue I mentioned. Let me elaborate:
If the JSON data source wasn't preventing access to internal APIs any Redash user (with access to the JSON data source) could query the metadata API, get the instance's API keys and access the COOKIE SECRET. Using this they can impersonate other users in your system. While you might think that:
will solve this case, it's only applicable when you can trust the admins (who can edit this configuration). It's not always the case.
Because with Postgres you're given explicit access to explicit resources (defined by the user role in postgres). With JSON you're given an open cheque. |
|
I get your concerns but that's a big hammer for those of us that don't run in AWS and trust their coworkers. |
|
Maybe, but it's a really easy fix/change. A PR addressing this (in the way outlined above) is welcomed. |
|
A change to the get_response method in the BaseHTTPQueryRunner class is also needed as it is also doing the "is_private_address" check during the actual HTTP request. Is there any value in doing the same test twice? @loganprice - is this already spotted? |
Issue Summary
New JSON data source does not allow use with private host addresses. I get the error: "Can't query private addresses."
If databases can be hosted on internal DNS names why couldn't JSON data sources? Could this be made configurable?
Steps to Reproduce
On Docker the localhost URL will look like
url: http://host.docker.internal:5001/mydata/my_data.jsonExpected: As a developer I can view local JSON for testing new data sources or new application URLs.
Actual: Error on the query screen, "Can't query private addresses."
Technical details:
redash/redash:8.0.0-beta.2.b29352The error seems to come from:
redash/redash/query_runner/json_ds.py
Line 180 in 4c56900
Comments
I've tested a local copy of the container with this
raisecommented out, and everything works fine. I understand in PaaS or when Redash is externally visible, this is necessary to protect internal data sources. But I'm evaluating Redash to run inside my production cluster only accessible to internal users. A core use case is to surface data internal to the cluster (PostgreSql, MongoDB, JSON, and CSV) and control it via dashboard groups and permissions. If databases can be hosted on internal DNS names why couldn't JSON data sources? Could this be made configurable?The text was updated successfully, but these errors were encountered: