MXS-1220: Add HTTP BA authentication
The admin interface now supports Basic Access authentication. This is not a secure method of authentication and it should not be used without unencrypted connections. Made the admin interface port, authentication, username and password configurable.
This commit is contained in:

committed by
Markus Mäkelä

parent
d242203279
commit
52e0cc8e16
@ -11,6 +11,7 @@ requirements are as follows:
|
|||||||
* Bison 2.7 or later
|
* Bison 2.7 or later
|
||||||
* Flex 2.5.35 or later
|
* Flex 2.5.35 or later
|
||||||
* libuuid
|
* libuuid
|
||||||
|
* libmicrohttpd
|
||||||
|
|
||||||
## Required packages
|
## Required packages
|
||||||
|
|
||||||
@ -30,7 +31,8 @@ You can install the packages with the following commands.
|
|||||||
```
|
```
|
||||||
sudo yum install git gcc gcc-c++ ncurses-devel bison flex glibc-devel cmake \
|
sudo yum install git gcc gcc-c++ ncurses-devel bison flex glibc-devel cmake \
|
||||||
libgcc perl make libtool openssl openssl-devel libcurl-devel pcre-devel \
|
libgcc perl make libtool openssl openssl-devel libcurl-devel pcre-devel \
|
||||||
tcl tcl-devel systemtap-sdt-devel libuuid libuuid-devel sqlite3 sqlite3-devel
|
tcl tcl-devel systemtap-sdt-devel libuuid libuuid-devel sqlite3 sqlite3-devel \
|
||||||
|
libmicrohttpd-devel
|
||||||
```
|
```
|
||||||
|
|
||||||
### Required packages on Ubuntu and Debian systems
|
### Required packages on Ubuntu and Debian systems
|
||||||
@ -40,7 +42,7 @@ require other packages in addition to these.
|
|||||||
|
|
||||||
```
|
```
|
||||||
git build-essential libssl-dev ncurses-dev bison flex cmake perl libtool \
|
git build-essential libssl-dev ncurses-dev bison flex cmake perl libtool \
|
||||||
libcurl4-openssl-dev libpcre3-dev tlc tcl-dev uuid uuid-dev sqlite3-dev
|
libcurl4-openssl-dev libpcre3-dev tlc tcl-dev uuid uuid-dev sqlite3-dev libmicrohttpd-dev
|
||||||
```
|
```
|
||||||
|
|
||||||
You can install the packages with the following command.
|
You can install the packages with the following command.
|
||||||
@ -48,7 +50,7 @@ You can install the packages with the following command.
|
|||||||
```
|
```
|
||||||
sudo apt-get install git build-essential libssl-dev ncurses-dev bison flex \
|
sudo apt-get install git build-essential libssl-dev ncurses-dev bison flex \
|
||||||
cmake perl libtool libcurl4-openssl-dev libpcre3-dev tcl tcl-dev uuid \
|
cmake perl libtool libcurl4-openssl-dev libpcre3-dev tcl tcl-dev uuid \
|
||||||
uuid-dev libsqlite3-dev
|
uuid-dev libsqlite3-dev libmicrohttpd-dev
|
||||||
```
|
```
|
||||||
|
|
||||||
## Preparing the MariaDB MaxScale build
|
## Preparing the MariaDB MaxScale build
|
||||||
|
@ -172,6 +172,29 @@ write or modify the data in the backend server. The default is 2 seconds.
|
|||||||
auth_write_timeout=10
|
auth_write_timeout=10
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### `admin_port`
|
||||||
|
|
||||||
|
The port where the HTTP admin interface listens on. The default value is port
|
||||||
|
8080.
|
||||||
|
|
||||||
|
#### `admin_auth`
|
||||||
|
|
||||||
|
Enable HTTP admin interface authentication using HTTP Basic Access
|
||||||
|
authentication. This is not a secure method of authentication but it does add a
|
||||||
|
small layer of security. This option id disabled by default.
|
||||||
|
|
||||||
|
#### `admin_user`
|
||||||
|
|
||||||
|
The HTTP admin interface username. This is the username which is used when
|
||||||
|
_admin_auth_ is enabled. The default user for the HTTP admin interface is
|
||||||
|
`admin`.
|
||||||
|
|
||||||
|
#### `admin_password`
|
||||||
|
|
||||||
|
The HTTP admin interface password. This is the which which is used when
|
||||||
|
_admin_auth_ is enabled. The default password for the HTTP admin interface is
|
||||||
|
`mariadb`.
|
||||||
|
|
||||||
#### `ms_timestamp`
|
#### `ms_timestamp`
|
||||||
|
|
||||||
Enable or disable the high precision timestamps in logfiles. Enabling this adds
|
Enable or disable the high precision timestamps in logfiles. Enabling this adds
|
||||||
|
@ -30,6 +30,9 @@ MXS_BEGIN_DECLS
|
|||||||
/** Default user for the administrative interface */
|
/** Default user for the administrative interface */
|
||||||
#define DEFAULT_ADMIN_USER "@DEFAULT_ADMIN_USER@"
|
#define DEFAULT_ADMIN_USER "@DEFAULT_ADMIN_USER@"
|
||||||
|
|
||||||
|
static const char INET_DEFAULT_USERNAME[] = "admin";
|
||||||
|
static const char INET_DEFAULT_PASSWORD[] = "mariadb";
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* MySQL session specific data
|
* MySQL session specific data
|
||||||
*
|
*
|
||||||
|
@ -26,7 +26,12 @@
|
|||||||
|
|
||||||
MXS_BEGIN_DECLS
|
MXS_BEGIN_DECLS
|
||||||
|
|
||||||
|
/** Default port where the REST API listens */
|
||||||
|
#define DEFAULT_ADMIN_HTTP_PORT 8080
|
||||||
|
|
||||||
#define _RELEASE_STR_LENGTH 256 /**< release len */
|
#define _RELEASE_STR_LENGTH 256 /**< release len */
|
||||||
|
#define MAX_ADMIN_USER_LEN 1024
|
||||||
|
#define MAX_ADMIN_PW_LEN 1024
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The config parameter
|
* The config parameter
|
||||||
@ -74,6 +79,10 @@ typedef struct
|
|||||||
bool skip_permission_checks; /**< Skip service and monitor permission checks */
|
bool skip_permission_checks; /**< Skip service and monitor permission checks */
|
||||||
char qc_name[PATH_MAX]; /**< The name of the query classifier to load */
|
char qc_name[PATH_MAX]; /**< The name of the query classifier to load */
|
||||||
char* qc_args; /**< Arguments for the query classifier */
|
char* qc_args; /**< Arguments for the query classifier */
|
||||||
|
char admin_user[MAX_ADMIN_USER_LEN]; /**< Admin interface user */
|
||||||
|
char admin_password[MAX_ADMIN_PW_LEN]; /**< Admin interface password */
|
||||||
|
uint16_t admin_port; /**< Admin interface port */
|
||||||
|
bool admin_auth; /**< Admin interface authentication */
|
||||||
} MXS_CONFIG;
|
} MXS_CONFIG;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -21,15 +21,12 @@
|
|||||||
#include <maxscale/debug.h>
|
#include <maxscale/debug.h>
|
||||||
#include <maxscale/thread.h>
|
#include <maxscale/thread.h>
|
||||||
#include <maxscale/utils.h>
|
#include <maxscale/utils.h>
|
||||||
|
#include <maxscale/config.h>
|
||||||
|
#include <maxscale/hk_heartbeat.h>
|
||||||
|
|
||||||
#include "maxscale/admin.hh"
|
#include "maxscale/admin.hh"
|
||||||
#include "maxscale/hk_heartbeat.h"
|
|
||||||
#include "maxscale/resource.hh"
|
#include "maxscale/resource.hh"
|
||||||
|
|
||||||
#define DEFAULT_ADMIN_HOST "127.0.0.1"
|
|
||||||
#define DEFAULT_ADMIN_PORT 8080
|
|
||||||
#define DEFAULT_ADMIN_AUTH HTTP_AUTH_NONE
|
|
||||||
|
|
||||||
static struct MHD_Daemon* http_daemon = NULL;
|
static struct MHD_Daemon* http_daemon = NULL;
|
||||||
|
|
||||||
int handle_client(void *cls,
|
int handle_client(void *cls,
|
||||||
@ -42,6 +39,26 @@ int handle_client(void *cls,
|
|||||||
void **con_cls)
|
void **con_cls)
|
||||||
|
|
||||||
{
|
{
|
||||||
|
const char *admin_user = config_get_global_options()->admin_user;
|
||||||
|
const char *admin_pw = config_get_global_options()->admin_password;
|
||||||
|
bool admin_auth = config_get_global_options()->admin_auth;
|
||||||
|
|
||||||
|
char* pw = NULL;
|
||||||
|
char* user = MHD_basic_auth_get_username_password(connection, &pw);
|
||||||
|
|
||||||
|
if (admin_auth && (!user || !pw || strcmp(user, admin_user) || strcmp(pw, admin_pw)))
|
||||||
|
{
|
||||||
|
static char error_resp[] = "Access denied\r\n";
|
||||||
|
struct MHD_Response *resp;
|
||||||
|
|
||||||
|
resp = MHD_create_response_from_buffer(sizeof (error_resp) - 1, error_resp,
|
||||||
|
MHD_RESPMEM_PERSISTENT);
|
||||||
|
|
||||||
|
MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
|
||||||
|
MHD_destroy_response(resp);
|
||||||
|
return MHD_YES;
|
||||||
|
}
|
||||||
|
|
||||||
string verb(method);
|
string verb(method);
|
||||||
json_t* json = NULL;
|
json_t* json = NULL;
|
||||||
|
|
||||||
@ -77,8 +94,10 @@ int handle_client(void *cls,
|
|||||||
bool mxs_admin_init()
|
bool mxs_admin_init()
|
||||||
{
|
{
|
||||||
http_daemon = MHD_start_daemon(MHD_USE_EPOLL_INTERNALLY | MHD_USE_DUAL_STACK,
|
http_daemon = MHD_start_daemon(MHD_USE_EPOLL_INTERNALLY | MHD_USE_DUAL_STACK,
|
||||||
DEFAULT_ADMIN_PORT, NULL, NULL,
|
config_get_global_options()->admin_port,
|
||||||
handle_client, NULL, MHD_OPTION_END);
|
NULL, NULL,
|
||||||
|
handle_client, NULL,
|
||||||
|
MHD_OPTION_END);
|
||||||
return http_daemon != NULL;
|
return http_daemon != NULL;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -62,9 +62,6 @@ static const int LINELEN = 80;
|
|||||||
static const char LINUX_USERS_FILE_NAME[] = "maxadmin-users";
|
static const char LINUX_USERS_FILE_NAME[] = "maxadmin-users";
|
||||||
static const char INET_USERS_FILE_NAME[] = "passwd";
|
static const char INET_USERS_FILE_NAME[] = "passwd";
|
||||||
|
|
||||||
static const char INET_DEFAULT_USERNAME[] = "admin";
|
|
||||||
static const char INET_DEFAULT_PASSWORD[] = "mariadb";
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Admin Users initialisation
|
* Admin Users initialisation
|
||||||
*/
|
*/
|
||||||
|
@ -59,6 +59,7 @@
|
|||||||
#include <set>
|
#include <set>
|
||||||
#include <string>
|
#include <string>
|
||||||
|
|
||||||
|
#include <maxscale/adminusers.h>
|
||||||
#include <maxscale/alloc.h>
|
#include <maxscale/alloc.h>
|
||||||
#include <maxscale/housekeeper.h>
|
#include <maxscale/housekeeper.h>
|
||||||
#include <maxscale/limits.h>
|
#include <maxscale/limits.h>
|
||||||
@ -1458,6 +1459,22 @@ handle_global_item(const char *name, const char *value)
|
|||||||
MXS_FREE(v);
|
MXS_FREE(v);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if (strcmp(name, "admin_user") == 0)
|
||||||
|
{
|
||||||
|
strcpy(gateway.admin_user, value);
|
||||||
|
}
|
||||||
|
else if (strcmp(name, "admin_password") == 0)
|
||||||
|
{
|
||||||
|
strcpy(gateway.admin_password, value);
|
||||||
|
}
|
||||||
|
else if (strcmp(name, "admin_port") == 0)
|
||||||
|
{
|
||||||
|
gateway.admin_port = atoi(value);
|
||||||
|
}
|
||||||
|
else if (strcmp(name, "admin_auth") == 0)
|
||||||
|
{
|
||||||
|
gateway.admin_auth = config_truth_value(value);
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
for (i = 0; lognames[i].name; i++)
|
for (i = 0; lognames[i].name; i++)
|
||||||
@ -1678,6 +1695,11 @@ global_defaults()
|
|||||||
gateway.auth_read_timeout = DEFAULT_AUTH_READ_TIMEOUT;
|
gateway.auth_read_timeout = DEFAULT_AUTH_READ_TIMEOUT;
|
||||||
gateway.auth_write_timeout = DEFAULT_AUTH_WRITE_TIMEOUT;
|
gateway.auth_write_timeout = DEFAULT_AUTH_WRITE_TIMEOUT;
|
||||||
gateway.skip_permission_checks = false;
|
gateway.skip_permission_checks = false;
|
||||||
|
gateway.admin_port = DEFAULT_ADMIN_HTTP_PORT;
|
||||||
|
gateway.admin_auth = false;
|
||||||
|
strcpy(gateway.admin_user, INET_DEFAULT_USERNAME);
|
||||||
|
strcpy(gateway.admin_password, INET_DEFAULT_PASSWORD);
|
||||||
|
|
||||||
if (version_string != NULL)
|
if (version_string != NULL)
|
||||||
{
|
{
|
||||||
gateway.version_string = MXS_STRDUP_A(version_string);
|
gateway.version_string = MXS_STRDUP_A(version_string);
|
||||||
|
Reference in New Issue
Block a user