MXS-1220: Allow new REST API users to be created

The REST API now uses the same users as MaxAdmin network interface. This allows them to be created with MaxAdmin. The next step is to add user creation to the REST API.
2017-05-18 16:16:16 +03:00 · 2017-05-18 16:16:16 +03:00 · 7fc2d25cf2
commit 7fc2d25cf2
parent db78eae9a8
4 changed files with 15 additions and 33 deletions
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@ -544,17 +544,9 @@ Enable HTTP admin interface authentication using HTTP Basic Access
 authentication. This is not a secure method of authentication but it does add a
 small layer of security. This option is disabled by default.

-#### `admin_user`
-
-The HTTP admin interface username. This is the username which is used when
-_admin_auth_ is enabled. The default user for the HTTP admin interface is
-`admin`.
-
-#### `admin_password`
-
-The HTTP admin interface password. This is the which which is used when
-_admin_auth_ is enabled. The default password for the HTTP admin interface is
-`mariadb`.
+The admin interface authentication uses the same user as MaxAdmin network
+interface. This means that new users can be added with both MaxAdmin and the
+REST API. The default credentials for the interface are `admin:mariadb`.

 #### `admin_ssl_key`

--- a/include/maxscale/config.h
+++ b/include/maxscale/config.h
@ -193,8 +193,6 @@ typedef struct
    bool          skip_permission_checks;              /**< Skip service and monitor permission checks */
    char          qc_name[PATH_MAX];                   /**< The name of the query classifier to load */
    char*         qc_args;                             /**< Arguments for the query classifier */
-    char          admin_user[MAX_ADMIN_USER_LEN];      /**< Admin interface user */
-    char          admin_password[MAX_ADMIN_PW_LEN];    /**< Admin interface password */
    char          admin_host[MAX_ADMIN_HOST_LEN];      /**< Admin interface host */
    uint16_t      admin_port;                          /**< Admin interface port */
    bool          admin_auth;                          /**< Admin interface authentication */
--- a/server/core/admin.cc
+++ b/server/core/admin.cc
@ -33,6 +33,7 @@
 #include <maxscale/config.h>
 #include <maxscale/hk_heartbeat.h>
 #include <maxscale/http.hh>
+#include <maxscale/adminusers.h>

 #include "maxscale/resource.hh"

@ -152,24 +153,25 @@ void close_client(void *cls,

 bool do_auth(MHD_Connection *connection)
 {
-    const char *admin_user = config_get_global_options()->admin_user;
-    const char *admin_pw = config_get_global_options()->admin_password;
    bool admin_auth = config_get_global_options()->admin_auth;

    char* pw = NULL;
    char* user = MHD_basic_auth_get_username_password(connection, &pw);
    bool rval = true;

-    if (admin_auth && (!user || !pw || strcmp(user, admin_user) || strcmp(pw, admin_pw)))
+    if (admin_auth)
    {
-        rval = false;
-        static char error_resp[] = "Access denied\r\n";
-        MHD_Response *resp =
-            MHD_create_response_from_buffer(sizeof(error_resp) - 1, error_resp,
-                                            MHD_RESPMEM_PERSISTENT);
+        if (!user || !pw || !admin_verify_inet_user(user, pw))
+        {
+            rval = false;
+            static char error_resp[] = "{\"errors\": [ { \"detail\": \"Access denied\" } ] }";
+            MHD_Response *resp =
+                MHD_create_response_from_buffer(sizeof(error_resp) - 1, error_resp,
+                                                MHD_RESPMEM_PERSISTENT);

-        MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
-        MHD_destroy_response(resp);
+            MHD_queue_basic_auth_fail_response(connection, "maxscale", resp);
+            MHD_destroy_response(resp);
+        }
    }

    return rval;
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -1524,14 +1524,6 @@ handle_global_item(const char *name, const char *value)
            MXS_FREE(v);
        }
    }
-    else if (strcmp(name, CN_ADMIN_USER) == 0)
-    {
-        strcpy(gateway.admin_user, value);
-    }
-    else if (strcmp(name, CN_ADMIN_PASSWORD) == 0)
-    {
-        strcpy(gateway.admin_password, value);
-    }
    else if (strcmp(name, CN_ADMIN_PORT) == 0)
    {
        gateway.admin_port = atoi(value);
@ -1784,8 +1776,6 @@ global_defaults()
    gateway.admin_auth = false;
    gateway.admin_enabled = true;
    strcpy(gateway.admin_host, DEFAULT_ADMIN_HOST);
-    strcpy(gateway.admin_user, INET_DEFAULT_USERNAME);
-    strcpy(gateway.admin_password, INET_DEFAULT_PASSWORD);
    gateway.admin_ssl_key[0] = '\0';
    gateway.admin_ssl_cert[0] = '\0';
    gateway.admin_ssl_ca_cert[0] = '\0';