I agree with you Yong Qian <qiany...@api7.ai> 于2022年1月26日周三 10:57写道:
> Agree with this improvement, the default fixed token poses a significant > security risk. > > On 1/26/22 10:08, JinChao Shuai wrote: > > I think the solution is feasible and can greatly improve the security of > > APISIX. > > > > Baoyuan <baoyuan....@gmail.com> 于2022年1月25日周二 21:25写道: > > > >> Strongly agree that this can greatly reduce the security risk of APISIX. > >> > >>> please use a custom token in the generation environment and > >> write into the configuration file. > >> > >> Do we need to provide this function to help users do it? > >> > >> Ming Wen <wenm...@apache.org> 于2022年1月25日周二 16:28写道: > >> > >>> hello, > >>> Apache APISIX has the fixed token of admin API in the > configuration > >>> file[1]. > >>> While we strongly recommend that users change this token, this is > a > >>> security risk anyway. We should use a more elegant solution to actively > >>> solve this problem. > >>> > >>> My solution is: > >>> 1. Remove these fixed tokens and change the default value to empty > >>> 2. When Apache APISIX starts, if the token is found to be empty, > it > >>> will automatically generate a random token, and print the hint > >> information > >>> on the screen and in the log: random token is only applicable to the > test > >>> environment, please use a custom token in the generation environment > and > >>> write into the configuration file. > >>> 3. The admin API does not accept the empty token. > >>> > >>> In this way, it will not affect the previous version, nor will it > >>> affect the developer's experience of Apache APISIX, and enhance the > >>> security. > >>> > >>> What do you think? > >>> > >>> > >>> [1] > >>> > >>> > >> > https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L87-L100 > >>> Thanks, > >>> Ming Wen, Apache APISIX PMC Chair > >>> Twitter: _WenMing > >>> > > >
