Hello, I'm a newcomer to APISIX, so please forgive my potential misunderstanding(s).
I've two comments: only allow running if user run APISIX with the flag > `--allow-empty-admin-token` or whatever anything else. > I wonder what the use case for this would be. If the user wants to run "in production", they should provide the token themselves. On the other hand, if the user wants a quick try, they can always run it, and APISIX will generate the token. If they don't know about the flag, then it won't help them. It's helpful only if the flag is the default, which is a security issue and what we want to avoid in the first place. and write into the configuration file. > I don't know much about how APISIX works, but it means the process needs to have write permission on the file. While read permission is required, I don't know if the process can already write. Imagine a scenario where the APISIX process has been compromised by a malicious actor. They could write their own security token and keep their privileges across restarts. On Wed, Jan 26, 2022 at 8:53 AM Bozhong Yu <imbozh...@gmail.com> wrote: > Agree with this enhancement. > > Ming Wen <wenm...@apache.org> 于2022年1月26日周三 14:19写道: > > > > I think it is a security issue. > > You should discuss it on the private mailing list if you think it's a > > security issue > > > > Thanks, > > Ming Wen, Apache APISIX PMC Chair > > Twitter: _WenMing > > > > > > YuanSheng Wang <membp...@apache.org> 于2022年1月26日周三 12:53写道: > > > > > hi: > > > > > > We are trying to fix this issue. and we need to confirm one more thing: > > > > > > Do we need to release a new version of APISIX? > > > > > > Here is the list: > > > 1. master branch > > > 2. `2.12`: the latest version of APISIX > > > 3. `2.10`: the LTS version of APISIX > > > > > > I think it is a security issue. If your answer is YES too, then we need > > to > > > fix them all. > > > > > > What is your opinion? > > > > > > > > > On Wed, Jan 26, 2022 at 11:52 AM Chao Zhang <zchao1...@gmail.com> > wrote: > > > > > > > What about preventing APISIX from starting if the admin token is > > > > absent, and only allow running if user run APISIX with the flag > > > > `--allow-empty-admin-token` or whatever anything else. > > > > > > > > Best regards > > > > Chao Zhang > > > > > > > > https://github.com/tokers > > > > > > > > > > > > On Tue, Jan 25, 2022 at 4:28 PM Ming Wen <wenm...@apache.org> wrote: > > > > > > > > > > hello, > > > > > Apache APISIX has the fixed token of admin API in the > > configuration > > > > > file[1]. > > > > > While we strongly recommend that users change this token, this > > is a > > > > > security risk anyway. We should use a more elegant solution to > > actively > > > > > solve this problem. > > > > > > > > > > My solution is: > > > > > 1. Remove these fixed tokens and change the default value to > > empty > > > > > 2. When Apache APISIX starts, if the token is found to be > empty, > > it > > > > > will automatically generate a random token, and print the hint > > > > information > > > > > on the screen and in the log: random token is only applicable to > the > > > test > > > > > environment, please use a custom token in the generation > environment > > > and > > > > > write into the configuration file. > > > > > 3. The admin API does not accept the empty token. > > > > > > > > > > In this way, it will not affect the previous version, nor will > it > > > > > affect the developer's experience of Apache APISIX, and enhance the > > > > > security. > > > > > > > > > > What do you think? > > > > > > > > > > > > > > > [1] > > > > > > > > > > > > > > > https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L87-L100 > > > > > > > > > > Thanks, > > > > > Ming Wen, Apache APISIX PMC Chair > > > > > Twitter: _WenMing > > > > > > > > > > > > > -- > > > > > > *MembPhis* > > > My GitHub: https://github.com/membphis > > > Apache APISIX: https://github.com/apache/apisix > > > > > >
