ACL login will fail if auth_token enabled in v20.07.0


Report a Dgraph Bug

When auth_token is configured, the ACL feature for logins cannot be used. This works fine in v20.03.04 but fails in v20.07.0.

What version of Dgraph are you using?

Have you tried reproducing the issue with the latest release?

yes

What is the hardware spec (RAM, OS)?

Ubuntu latest (Focal Fossa) docker containers fon Ubuntu Eoan Ermine host.

Steps to reproduce the issue (command/config used to run Dgraph).

  1. Configure Server with ACL and auth_token enabled
  2. Attempt a login supplying the token
  3. Fails

docker-compose.yml

services:
  backgcs-alpha1:
    command: dgraph alpha --my=backgcs-alpha1:7080 --lru_mb=1024 --zero=backgcs-zero1:5080
      --config /dgraph/config/acl-auth_config.hcl
    container_name: backgcs-alpha1
    image: dgraph/dgraph:v20.07.0
    ports:
    - published: 8080
      target: 8080
    - published: 9080
      target: 9080
    volumes:
    - read_only: true
      source: ./acl
      target: /dgraph/acl/
      type: bind
    - read_only: true
      source: ./config
      target: /dgraph/config
      type: bind
    working_dir: /data/alpha1
 
  backgcs-zero1:
    command: dgraph zero --my=backgcs-zero1:5080 --replicas 1 --idx 1
    container_name: backgcs-zero1
    image: dgraph/dgraph:v20.07.0
    ports:
    - published: 5080
      target: 5080
    - published: 6080
      target: 6080
    working_dir: /data/zero1
version: '3.5'

acl-auth_config.hcl

whitelist       = "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,172.20.0.0/12"
acl_secret_file = "/dgraph/acl/hmac_secret_file"
auth_token      = "6jtXKSTL9vz5KPg"

login w/ auth token

/usr/bin/curl --silent \
  --header 'X-Dgraph-AuthToken: 6jtXKSTL9vz5KPg' \
  --header 'Content-Type: application/json' \
  --request POST localhost:8080/admin \
  --data '{"query": "mutation { login(userId: \"groot\" password: \"password\") { response { accessJWT } } }"}' | jq

Expected behavior and actual result.

I expected to be able to login.

When logging with the X-Dgraph-AuthT-ken, get:

{
  "errors": [
    {
      "message": "resolving login failed because No Auth Token found. Token needed for Alter operations.",
      "locations": [
        {
          "line": 1,
          "column": 12
        }
      ]
    }
  ],
  "data": {
    "login": null
  },
  "extensions": {
    "tracing": {
      "version": 1,
      "startTime": "2020-09-06T10:47:02.261362444Z",
      "endTime": "2020-09-06T10:47:02.261840568Z",
      "duration": 478117
    }
  }
}

If I omit the token, I get:

{
  "errors": [
    {
      "message": "Invalid X-Dgraph-AuthToken",
      "extensions": {
        "code": "ErrorUnauthorized"
      }
    }
  ]
}

The logs show that login request events:

I0906 10:45:59.747561      16 login.go:36] Got login request
I0906 10:45:59.747646      16 server.go:1269] Got Login request from: "172.26.0.1:42578"
I0906 10:46:24.692920      16 login.go:36] Got login request
I0906 10:46:24.692994      16 server.go:1269] Got Login request from: "172.26.0.1:42584"
I0906 10:46:59.465065      16 login.go:36] Got login request
I0906 10:46:59.465105      16 server.go:1269] Got Login request from: "172.26.0.1:42596"
I0906 10:47:02.261679      16 login.go:36] Got login request
I0906 10:47:02.261765      16 server.go:1269] Got Login request from: "172.26.0.1:42600"

This also fails in v20.07.1-rc1.

Fixed by: https://github.com/dgraph-io/dgraph/pull/6660