Authentication for admin endpoints

abhimanyusinghgaur · May 20, 2020, 7:23pm

Starting with this PR, all the admin endpoints now require three kinds of auth:

IP White-listing, if --whitelist flag is passed to alpha.
Poor-man’s auth, if --auth_token flag is passed to alpha (means you will need to pass the auth_token as X-Dgraph-AuthToken header while making the HTTP request if this is enabled).
Guardian only access, if ACL is enabled (means you need to pass the ACL JWT of a Guardian user as X-Dgraph-AccessToken header while making the HTTP request if this is enabled).

Admin endpoint means any http endpoint which provides admin functionalities. Normally, the path starts with /admin for such endpoints, except a few. So, at present this list includes:

/admin
/admin/backup
/admin/config/lru_mb
/admin/draining
/admin/export
/admin/shutdown
/admin/schema
/alter
/login

There are a few exceptions to the general rule described above:

/admin: This endpoint provides GraphQL queries/mutations for administration purposes. All the queries/mutations on /admin have all the 3 auth checks, except for the following one:
- login (mutation): This mutation logs-in an ACL user, and provides them with JWT. Only IP Whitelisting and Poor-man’s auth checks are performed for this. As one won’t be able to login using ACL if we mandate Guardian only access on this.
/login: The same behavior as the above GraphQL admin login mutation.

Apart from the above-mentioned points, when ACL is enabled, querying dgraph schema now returns only those predicates for which the ACL user has read access.

cc: @pawan, @michaelcompton, @gja, @mrjn

Related PRs:

mrjn · May 21, 2020, 3:18pm

I think we should consider what their behavior “should be”, not what it has been. We can make breaking changes in major releases. So, let’s think about that and apply the checks accordingly.

I’d think that GQL schema retrievals and updates would require all 3 checks, just based on a cursory look.

pawan · May 27, 2020, 10:10am

IP whitelisting was introduced for Admin operations and updating and fetching the schema are Admin operations. So it should apply to Alter and updateGQLSchema. We can also apply it to getGQLSchema but then we should probably also apply it to the schema {} query within Dgraph.

dmai · July 13, 2020, 5:37pm

Changes to Alter and schema {} affects the behavior for all client libraries, the Tour, and Play (to name a few). For folks altering the schema or running schema queries, they’d need to set the whitelist flag appropriately.

pawan · July 13, 2020, 5:53pm

So finally IP whitelisting was only applied for Alter and not for getting the schema, so it shouldn’t affect play. It would affect Tour though and we should modify it so that it works with the new changes. Not sure who is the right person to do it though.

vvbalaji · July 15, 2020, 2:25pm

The person making the changes that necessitates an update to Tour would be a good candidate. They have the most context.

pawan · July 16, 2020, 8:56am

@abhimanyusinghgaur could you please add a task for yourself to check this and send a PR over to Tour? We shouldn’t be merging it until 20.07.0 goes out though.

abhimanyusinghgaur · July 16, 2020, 12:29pm

Updated Tour.
Merged because it was a backward compatible change.

joaquin · September 6, 2020, 9:31pm

FYI. If auth-tokens are enabled, ACLs with accessJWT token will no longer work in v20.07.0:

ACL login will fail if auth_token enabled in v20.07.0

This worked fine before together with v20.03.4.

As far as I can tell, the message from server.go indicates that metadata auth-token is not there, despite that it was configured:

github.com

dgraph-io/dgraph/blob/master/edgraph/server.go#L1329-L1344


		return resp, err
	}
	qc.span.Annotatef(nil, "Response = %s", resp.Json)

	// varToUID contains a map of variable name to the uids corresponding to it.
	// It is used later for constructing set and delete mutations by replacing
	// variables with the actual uids they correspond to.
	// If a variable doesn't have any UID, we generate one ourselves later.
	for name := range qc.uidRes {
		v := qr.Vars[name]

		// If the list of UIDs is empty but the map of values is not,
		// we need to get the UIDs from the keys in the map.
		var uidList []uint64
		if v.OrderedUIDs != nil && len(v.OrderedUIDs.Uids) > 0 {
			uidList = v.OrderedUIDs.Uids

dalu · October 11, 2021, 11:17am

2 things:

Is this all an enterprise feature?

docker run -it -p 7080:7080 --network dgraph_default -p 8080:8080 -p 9080:9080 -v ~/dgraph/alpha/s1:/dgraph dgraph/dgraph:v21.03.2 dgraph alpha --zero=192.168.1.3:5080 --my=192.168.1.3:7080 --whitelist=0.0.0.0/0
Error: unknown flag: --whitelist

I’m in this topic because

curl -X POST localhost:8080/admin/schema --data-binary '@schema.graphql'

{"errors":[{"message":"resolving updateGQLSchema failed because unauthorized ip address: 172.18.0.1 (Locations: [{Line: 3, Column: 4}])","extensions":{"code":"Error"}}]}%

iluminae · October 11, 2021, 4:40pm

You should make a new post - this topic is old enough that the flags referenced have changed, see the docs on the new flags for version v21.03+ https://dgraph.io/docs/deploy/config/#command-line-flags