Report a Dgraph Bug
When auth_token is configured, the ACL feature for logins cannot be used. This works fine in v20.03.04 but fails in v20.07.0.
What version of Dgraph are you using?
Have you tried reproducing the issue with the latest release?
yes
What is the hardware spec (RAM, OS)?
Ubuntu latest (Focal Fossa) docker containers fon Ubuntu Eoan Ermine host.
Steps to reproduce the issue (command/config used to run Dgraph).
- Configure Server with ACL and auth_token enabled
- Attempt a login supplying the token
- Fails
docker-compose.yml
services:
backgcs-alpha1:
command: dgraph alpha --my=backgcs-alpha1:7080 --lru_mb=1024 --zero=backgcs-zero1:5080
--config /dgraph/config/acl-auth_config.hcl
container_name: backgcs-alpha1
image: dgraph/dgraph:v20.07.0
ports:
- published: 8080
target: 8080
- published: 9080
target: 9080
volumes:
- read_only: true
source: ./acl
target: /dgraph/acl/
type: bind
- read_only: true
source: ./config
target: /dgraph/config
type: bind
working_dir: /data/alpha1
backgcs-zero1:
command: dgraph zero --my=backgcs-zero1:5080 --replicas 1 --idx 1
container_name: backgcs-zero1
image: dgraph/dgraph:v20.07.0
ports:
- published: 5080
target: 5080
- published: 6080
target: 6080
working_dir: /data/zero1
version: '3.5'
acl-auth_config.hcl
whitelist = "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,172.20.0.0/12"
acl_secret_file = "/dgraph/acl/hmac_secret_file"
auth_token = "6jtXKSTL9vz5KPg"
login w/ auth token
/usr/bin/curl --silent \
--header 'X-Dgraph-AuthToken: 6jtXKSTL9vz5KPg' \
--header 'Content-Type: application/json' \
--request POST localhost:8080/admin \
--data '{"query": "mutation { login(userId: \"groot\" password: \"password\") { response { accessJWT } } }"}' | jq
Expected behavior and actual result.
I expected to be able to login.
When logging with the X-Dgraph-AuthT-ken, get:
{
"errors": [
{
"message": "resolving login failed because No Auth Token found. Token needed for Alter operations.",
"locations": [
{
"line": 1,
"column": 12
}
]
}
],
"data": {
"login": null
},
"extensions": {
"tracing": {
"version": 1,
"startTime": "2020-09-06T10:47:02.261362444Z",
"endTime": "2020-09-06T10:47:02.261840568Z",
"duration": 478117
}
}
}
If I omit the token, I get:
{
"errors": [
{
"message": "Invalid X-Dgraph-AuthToken",
"extensions": {
"code": "ErrorUnauthorized"
}
}
]
}
The logs show that login request events:
I0906 10:45:59.747561 16 login.go:36] Got login request
I0906 10:45:59.747646 16 server.go:1269] Got Login request from: "172.26.0.1:42578"
I0906 10:46:24.692920 16 login.go:36] Got login request
I0906 10:46:24.692994 16 server.go:1269] Got Login request from: "172.26.0.1:42584"
I0906 10:46:59.465065 16 login.go:36] Got login request
I0906 10:46:59.465105 16 server.go:1269] Got Login request from: "172.26.0.1:42596"
I0906 10:47:02.261679 16 login.go:36] Got login request
I0906 10:47:02.261765 16 server.go:1269] Got Login request from: "172.26.0.1:42600"