Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only default redis username is sent when using --redis_cluster_connection_urls #2020

Closed
henriduflot opened this issue Feb 17, 2023 · 5 comments
Closed

Only default redis username is sent when using --redis_cluster_connection_urls #2020

henriduflot opened this issue Feb 17, 2023 · 5 comments
Labels
bug good first issue help wanted Stale

Comments

@henriduflot
Copy link

henriduflot commented Feb 17, 2023
edited

I tried to connect oauth2-proxy to redis cluster by providing username and password inside the redis_cluster_connection_urls parameter. But I can't use specific username.

config.cfg

### REDIS CONFIG ###
session_store_type="redis"
redis_use_cluster=true
redis_cluster_connection_urls="redis://username:password@cluster-hostname:7000"

Expected Behavior

oauth2-proxy should authenticate on redis with provided username and password

Current Behavior

Instead of 'username' the authentification is done with 'default'

Note : username:password configuration works well when using with redis_connection_url (non cluster mode)

The only way to make it work is to use redis_password parameter, but I can't use a specific username (default is used) :

### REDIS CONFIG ###
session_store_type="redis"
redis_use_cluster=true
redis_cluster_connection_urls="redis://cluster-hostname:7000"
redis_password="password"

Steps to Reproduce (for bugs)

Use a redis cluster and provide username/password inside the redis_cluster_connection_urls

Context

Your Environment

  • oauth2-proy: v7.4.0.linux-amd64
  • Redis : 6.0.14
@henriduflot
Copy link
Author

I'm not very comfortable with the go language. Would it be enough to simply add Username parameter here ?

oauth2-proxy/pkg/sessions/redis/redis_store.go

Lines 118 to 136 in fd50a35

// buildClusterClient makes a redis.Client that is Redis Cluster aware
func buildClusterClient(opts options.RedisStoreOptions) (Client, error) {
addrs, opt, err := parseRedisURLs(opts.ClusterConnectionURLs)
if err != nil {
return nil, fmt.Errorf("could not parse redis urls: %v", err)
}
if err := setupTLSConfig(opts, opt); err != nil {
return nil, err
}
client := redis.NewClusterClient(&redis.ClusterOptions{
Addrs: addrs,
Password: opts.Password,
TLSConfig: opt.TLSConfig,
ConnMaxIdleTime: time.Duration(opts.IdleTimeout) * time.Second,
})
return newClusterClient(client), nil
}

For information here is how it is done for the standalone mode. I think opt already contains username paremeter parsed from connection_url :

oauth2-proxy/pkg/sessions/redis/redis_store.go

Lines 138 to 158 in fd50a35

// buildStandaloneClient makes a redis.Client that connects to a simple
// Redis node
func buildStandaloneClient(opts options.RedisStoreOptions) (Client, error) {
opt, err := redis.ParseURL(opts.ConnectionURL)
if err != nil {
return nil, fmt.Errorf("unable to parse redis url: %s", err)
}
if opts.Password != "" {
opt.Password = opts.Password
}
if err := setupTLSConfig(opts, opt); err != nil {
return nil, err
}
opt.ConnMaxIdleTime = time.Duration(opts.IdleTimeout) * time.Second
client := redis.NewClient(opt)
return newClient(client), nil
}

@JoelSpeed
Copy link
Member

Looks like it, the go-redis struct (https://pkg.go.dev/github.com/go-redis/redis/v9#ClusterOptions) has a username field, so we would need to pass something through to that

@henriduflot
Copy link
Author

I builded app with this fix :

	if opts.Password != "" {
		opt.Password = opts.Password
	}

	client := redis.NewClusterClient(&redis.ClusterOptions{
		Addrs:           addrs,
		Password:        opt.Password,
		Username:        opt.Username,
		TLSConfig:       opt.TLSConfig,
		ConnMaxIdleTime: time.Duration(opts.IdleTimeout) * time.Second,
	})
	return newClusterClient(client), nil

I checked with different case of configuration :

  • With username and password in url : 🆗
redis_use_cluster=true
redis_cluster_connection_urls="redis://default:secret@redis-cluster"
  • With username in url and password as variable : 🆗
redis_use_cluster=true
redis_cluster_connection_urls="redis://default@redis-cluster"
redis_password="secret"
  • With password in variable but without username : 🆗
redis_use_cluster=true
redis_cluster_connection_urls="redis://redis-cluster"
redis_password="secret"

Given above tests, it should not have a negative impact. But like I said I'm not a developper
Do you think I can submit Pull Request with the fix ?

@henriduflot henriduflot mentioned this issue Mar 6, 2023
Closed
3 tasks
@github-actions
Copy link
Contributor

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

@github-actions github-actions bot added the Stale label Apr 24, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 1, 2023
@tuunit tuunit removed the Stale label Jan 10, 2024
@tuunit tuunit reopened this Jan 10, 2024
@rossigee rossigee mentioned this issue Jan 10, 2024
Merged
4 tasks
@github-actions GitHub Actions
Copy link
Contributor

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

@github-actions github-actions bot added the Stale label Mar 12, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug good first issue help wanted Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JoelSpeed @tuunit @henriduflot