-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ui, server: remote_debugging.mode setting isn't being respected #23555
Comments
So it turns out I misunderstood which pages count as debug pages. Only pages that are prefixed with Closing as user error. |
Anything which can potentially return keys needs to be protected. We need to lock down the log endpoints as well as all the status/debug pages that can include keys (or we could keep those pages but hide the actual keys if the filter doesn't pass). |
Alright, but that's no small task, and it's the case in all of our releases going back to v1.0. |
Thanks @a-robinson! I will let @couchand answer the key question more accurately - I didn't think we display any of them in the UI. cc: @josueeee |
The logs pages are the only place that's documented/linked from somewhere. If/when we choose to do #20690 the other debug pages will need to see more scrutiny. The seems like one more reason that we should implement #6307/#18206 as soon as possible, but it's unlikely that will be backported to 2.0 or 1.x, so we should probably figure out something that we feel comfortable adding to each of those releases. I'm fine with the idea that the logs pages and many (all?) the debug pages should be conditional on @bdarnell It sounds like this is a high priority from your perspective? Would you be available to spend some time with me to do an audit of which debug pages we need to be thinking about? |
The ones I think we need to block are
|
@bdarnell thanks for that list. It looks like there are two sides to this issue:
And we have two options for the criteria to apply: if it's not too much effort we could try to support |
Oh, one more point about usability. We don't currently seem to document the setting |
I should have a PR out for this later today. I have the plumbing of source addresses through the grpc-gateway figured out and working for a couple endpoints, I just need to handle the rest of them. I don't really like the lack of fail-safes to keep us from forgetting this on new endpoints, but we could potentially add some sort of test that crawls all the debug pages looking for key-shaped strings. We're also going to have to fix the Finally, I was worried about how this was going to affect the |
@a-robinson Thanks for taking this on. If you knock out the server side of this, I'll add the updates for the admin UI to not break because of it. You're right that I agree that it's worrisome how easy it is to mess this up. We need better visibility into what endpoints are available and what information they offer. Really, we need to require a login for HTTP access just the same as we do for gRPC access. |
Keys can potentially contain sensitive information, so lock down or strip any debug endpoints that contain range start/end keys in accordance with the server.remote_debugging.mode setting and where the request originated. This intentionally only applies the filtering for HTTP requests: gRPC requests should be allowed through since they're already properly authenticated by certificates in secure clusters. Fixes cockroachdb#23555 Release note (admin ui change): More debug pages are now locked down by the server.remote_debugging.mode cluster setting.
Keys can potentially contain sensitive information, so lock down or strip any debug endpoints that contain range start/end keys in accordance with the server.remote_debugging.mode setting and where the request originated. This intentionally only applies the filtering for HTTP requests: gRPC requests should be allowed through since they're already properly authenticated by certificates in secure clusters. Fixes cockroachdb#23555 Release note (admin ui change): More debug pages are now locked down by the server.remote_debugging.mode cluster setting.
Keys can potentially contain sensitive information, so lock down or strip any debug endpoints that contain range start/end keys in accordance with the server.remote_debugging.mode setting and where the request originated. This intentionally only applies the filtering for HTTP requests: gRPC requests should be allowed through since they're already properly authenticated by certificates in secure clusters. Fixes cockroachdb#23555 Release note (admin ui change): More debug pages are now locked down by the server.remote_debugging.mode cluster setting.
I built cockroach from head (b6c934c), then started a 1 node insecure cluster on my gceworker. Without changing any cluster settings, I'm able to access all the debug pages over the internet on the VM's public IP, even though the setting defaults to
local
only. I then changed the setting to 'off' (set cluster setting server.remote_debugging.mode = 'off';
) and I'm still able to access all of the debug pages.The text was updated successfully, but these errors were encountered: