Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication and authorization #2833

Open
1 of 6 tasks
sanikolaev opened this issue Dec 10, 2024 · 3 comments
Open
1 of 6 tasks

Authentication and authorization #2833

sanikolaev opened this issue Dec 10, 2024 · 3 comments
Assignees
@tomatolog
Labels
enhancement

Comments

@sanikolaev
Copy link
Collaborator

sanikolaev commented Dec 10, 2024
edited by tomatolog
Loading

Proposal:

Umbrella issue for https://roadmap.mnt.cr/ about authentication and authorization.

Subtasks:

Added current issues list as separate ticket #2844

Checklist:

To be completed by the assignee. Check off tasks that have been completed or are not applicable.

  • Implementation completed
  • Tests developed
  • Documentation updated
  • Documentation reviewed
  • Changelog updated
  • OpenAPI YAML updated and issue created to rebuild clients
@tomatolog
Copy link
Contributor

tomatolog commented Dec 12, 2024
edited
Loading

Auth SphinxQL interface.

Daemon uses check of the password from the mysql client compatible with the plugin mysql_native_password, ie

mysql -h 127.0.0.1 -P 9306 -u teston -p
Enter password: ****

should work the same was as with regular mysql server.

Added new test options to searchd section auth_user and auth_pass to set user and raw text password for testing like

searchd
{
...
    auth_user = admin
    auth_pass = test123

or use .htpasswd compatible file with the SHA-1 hash like

searchd
{
...
    auth_user_file = /home/user1/.htpasswd

the .htpasswd file should be created like

htpasswd -s -c ~/bin/.htpasswd new_user

and additional users should be added like

htpasswd -s ~/bin/.htpasswd user2

The auth_user and the raw auth_pass should be removed on release of the feature.

@tomatolog
Copy link
Contributor

tomatolog commented Dec 12, 2024
edited
Loading

Basic auth HTTP interface.

If the user added into daemon client must use HTTP Basic access authentication schema, ie for the curl client it works like

curl -X POST "localhost:9312/search" -H "content-type: application/json" -d @gh1594.js  -u test_file:test

@tomatolog
Copy link
Contributor

tomatolog commented Dec 12, 2024
edited
Loading

auth_user_file

daemon works with the auth_user_file as:

  • lines with the errors are reported and skipped. At least one valid line is required for daemon to start or daemon fatal exit on startup
  • daemon also fatal exit on startup if auth_user_file is set but the daemon failed to open the file
  • daemon also fatal exit on startup if auth_user_file permission set to 777

That should prevent cases when the access authentication is required but no valid users loaded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomatolog tomatolog

Labels
enhancement
Projects
Manticore public roadmap (large tasks only planned for the nearest future, not bugfixes / smaller issues)
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomatolog @sanikolaev