New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
removed group name and password checks from rest calls #13757
removed group name and password checks from rest calls #13757
Conversation
We should remove the passwords from |
@emre-aydin good catch 👍 I have removed them from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't we get rid of the POST body altogether?
No name & No password. It is very misleading, offering a false sense of security, and provides no functionality whatsoever. We direct a REST call to an IP:PORT that is meant for that cluster, the group-name is useless in this context. I strongly believe we should remove this check, removing it shouldn't break backward compatibility either.
@tkountis good idea actually, WDYT @emre-aydin and @mesutcelik? |
Sounds good to me. |
abe4f6f
to
1f6b04f
Compare
@tkountis @emre-aydin I have updated the PR according the Thomas' advices. PTAL. |
@hasancelik I think we should leave methods that change the member's state (such as cluster/node shutdown, force start etc.) as HTTP POST even though they require no parameters. |
@emre-aydin you are right, essentially |
d67953e
to
87c64ff
Compare
This looks good, can we add tests to verify backwards compatibility and to avoid any breaking change in the future? @hasancelik Regarding Emre's comment, GET vs POST for the state changing APIs, i agree that in the future we need to refactor the API to make it more REST friendly. The current state feels more like RPC rather than REST. Having a proper REST API will allow the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - please add some backwards comp tests.
@tkountis and @emre-aydin I have added tests to verify backwards compatibility and made some enhancements on REST call which has one parameter( |
Guys, we should not merge this unless we solve this: https://hazelcast.atlassian.net/wiki/spaces/PM/pages/147718270/Security+Concerns+on+Shutting+Down+Cluster+via+REST+API Currently one can shutdown a cluster, if he knows ip address and port of any hazelcast member. In hazelcast cloud, because there is no security/auth support of REST, we are still using group-name/password to secure REST. If you merge this PR, then the hazelcast cloud instance can be easily shutted down. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm against merging this into 3.11 as it's too risky. It doesn't include solution based on JAAS authentication in the EE. (We have separate JAAS login modules config for members and clients.)
The change should be aligned with solution for #11867 (removing password check from clients).
This also deserves a proper design document.
@tkountis Even if we remove the password check in the future we should keep the group name check in place (as we do with members and clients). It'll be the safety belt which will prevent accidental operations on wrong cluster. |
Guys, I understand the concerns, but group info is not a security measure. However, I agree that this might need a proper PRD and we could hold it back for 3.11. |
@tkountis This is is not specific to hazelcast cloud. Any hazelcast instance can be shutdown with this endpoint even if you disable REST. We can not ask all users to intercept these calls. Group name/password may not be a proven security but it is better than nothing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR request should not be merged till we propoes a security solution to the : https://hazelcast.atlassian.net/wiki/spaces/PM/pages/147718270/Security+Concerns+on+Shutting+Down+Cluster+via+REST+API
FYI, I've raised the priority of the REST API security work, it's now in the voting for 3.12 |
@hasancelik is this PR still valid? |
Closing, this PR was replaced by #14386. |
As Neil mentioned at the issue, when you make a REST call that does not contain
group-password
, it failed with{"status":"forbidden"}
. But starting with hazelcast-3.8.2 release, there is no need for a group password at member side.https://docs.hazelcast.org/docs/3.10.4/manual/html-single/index.html#cluster-groups-before-hazelcast-382
Current behaviour
I have started 3.10.4 member with only
groupName
config then make some REST calls:If you do not configure any
groupPassword
, you must usedev-pass
:I have removed
group-name
checks as well from handle methods then converted some of the methods which do not take any parameter intoGET
(/nodes
and/state
). You can use--data
as well, we are keeping POST methods of these two methods for backward-compatible by linking functionality(allowing both GET & POST):New behaviour
I have started 3.11-SS -which includes these changes- member then make some REST calls:
fixes https://github.com/hazelcast/hazelcast-boshrelease/issues/16 and #13753
After this PR merged we need to update our documentation. Reference Manual issue --> hazelcast/hazelcast-reference-manual#584