Skip to content

Fix HTTP OPTIONS request auth handling#5615

Merged
jon-wei merged 2 commits intoapache:masterfrom
jon-wei:http_options_auth
Apr 12, 2018
Merged

Fix HTTP OPTIONS request auth handling#5615
jon-wei merged 2 commits intoapache:masterfrom
jon-wei:http_options_auth

Conversation

@jon-wei
Copy link
Copy Markdown
Contributor

@jon-wei jon-wei commented Apr 9, 2018
edited
Loading

Fixes #5588

This PR sets the AUTHORIZATION_CHECKED flag to true for all HTTP OPTIONS requests. This is handled in a new servlet filter (Druid has no explicit OPTIONS method handlers on its endpoints).

It seems that CORS pre-flight OPTIONS requests do not generally contain credentials headers:

So a disableHttpOptionsAuthentication config is added to disable authentication checks on OPTIONS requests (authentication is required by default) to support CORS use cases.

@fjy fjy added this to the 0.13.0 milestone Apr 10, 2018
@jon-wei jon-wei force-pushed the http_options_auth branch from 46b3b85 to e8465d5 Compare April 12, 2018 00:18
@jon-wei jon-wei force-pushed the http_options_auth branch from e8465d5 to b43dcc7 Compare April 12, 2018 00:30
mkuthan
mkuthan reviewed Apr 12, 2018
View reviewed changes
Comment thread docs/content/configuration/auth.md Outdated
|`druid.escalator.type`|String|Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in `druid.auth.authenticationChain`.|"noop"|no|
|`druid.auth.authorizers`|JSON List of Strings|List of Authorizer type names |["allowAll"]|no|
|`druid.auth.unsecuredPaths`| List of Strings|List of paths for which security checks will not be performed. All requests to these paths will be allowed.|[]|no|
|`druid.auth.requireHttpOptionsAuthentication`|Boolean|If false, skip authentication checks for HTTP OPTIONS requests. Note that disabling authentication checks for OPTIONS requests will allow unauthenticated users to determine what Druid endpoints are valid, and this may leak sensitive information (for example, the `/druid/indexer/v1//task/{taskid}` endpoint on the Overlord and `/druid/coordinator/v1/datasources` endpoints on the Coordinator contain resource names), so the authentication checks should not be disabled unless truly necessary. |true|no|
Copy link
Copy Markdown

@mkuthan mkuthan Apr 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Property name disableHttpOptionsAuthentication (by default set false due to the potential information leak) seems to be better IMHO. If someone wants to change the property to true it will mean that some kind of authentication will be disabled (dangerous in general).

Copy link
Copy Markdown
Contributor Author

@jon-wei jon-wei Apr 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good, I flipped the boolean there

@mkuthan
Copy link
Copy Markdown

mkuthan commented Apr 12, 2018

Thanks for the investigation and fix! Mentioned links are really good lecture.

@fjy
Copy link
Copy Markdown
Contributor

fjy commented Apr 12, 2018

@jon-wei is this 0.12.1 or 0.13?

@jon-wei
Copy link
Copy Markdown
Contributor Author

jon-wei commented Apr 12, 2018

@fjy let's do 0.12.1

@jon-wei jon-wei modified the milestones: 0.13.0, 0.12.1 Apr 12, 2018
@jon-wei jon-wei merged commit df51a7b into apache:master Apr 12, 2018
jon-wei added a commit that referenced this pull request Apr 12, 2018
@jon-wei
Revert "Fix HTTP OPTIONS request auth handling (#5615)"
677cb55 
This reverts commit df51a7b.
gianm
gianm reviewed Apr 12, 2018
View reviewed changes
Comment thread docs/content/configuration/auth.md
|`druid.escalator.type`|String|Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in `druid.auth.authenticationChain`.|"noop"|no|
|`druid.auth.authorizers`|JSON List of Strings|List of Authorizer type names |["allowAll"]|no|
|`druid.auth.unsecuredPaths`| List of Strings|List of paths for which security checks will not be performed. All requests to these paths will be allowed.|[]|no|
|`druid.auth.disableHttpOptionsAuthentication`|Boolean|If true, skip authentication checks for HTTP OPTIONS requests. Note that disabling authentication checks for OPTIONS requests will allow unauthenticated users to determine what Druid endpoints are valid, and this may leak sensitive information (for example, the `/druid/indexer/v1//task/{taskid}` endpoint on the Overlord and `/druid/coordinator/v1/datasources` endpoints on the Coordinator contain resource names), so the authentication checks should not be disabled unless truly necessary. |false|no|
Copy link
Copy Markdown
Contributor

@gianm gianm Apr 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Should be /druid/indexer/v1/task (typo with the slashes).
  • The docs should explain when you might want to set this to true: for example, if you want to use CORS.
  • druid.auth.allowUnauthenticatedHttpOptions might be a better name.
  • I'd remove the "truly", it sounds a bit too scary.

I'd replace the parenthetical,

(for example, the /druid/indexer/v1//task/{taskid} endpoint on the Overlord and /druid/coordinator/v1/datasources endpoints on the Coordinator contain resource names)

With,

(for example, callers can attempt to enumerate valid datasources via OPTIONS requests to /druid/coordinator/v1/datasources/{dataSource}/intervals endpoints on the Coordinator)

Although is this true? Will anything be leaked? It seems strange to me that Jetty would be clairvoyant enough to know whether a dataSource embedded in the resource is valid or not, at the time it serves the OPTIONS request.

Copy link
Copy Markdown
Contributor Author

@jon-wei jon-wei Apr 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, you're right, at the time I wrote that section I was checking to see what authenticated but unauthorized users could see (authenticated users can determine if a resource exists with non-OPTIONS requests in some cases by checking for access denied vs. resource not found), and incorrectly made that assumption for unauthenticated OPTIONS requests.

I changed the doc there to mention a more general and less serious caveat about determining valid endpoints by checking for 200 vs 404 status, which you can do with the unauthenticated OPTIONS requests.

@jon-wei jon-wei mentioned this pull request Apr 12, 2018
Merged
jon-wei added a commit that referenced this pull request Apr 12, 2018
@jon-wei
Revert "Fix HTTP OPTIONS request auth handling (#5615)" (#5637)
882b172 
This reverts commit df51a7b.
@jon-wei jon-wei mentioned this pull request Apr 13, 2018
Merged
@jihoonson jihoonson mentioned this pull request May 4, 2018
Closed
sathishsri88 pushed a commit to sathishs/druid that referenced this pull request May 8, 2018
@jon-wei
Fix HTTP OPTIONS request auth handling (apache#5615)
91a3708 
* Fix HTTP OPTIONS request auth handling

* Flip configuration boolean
sathishsri88 pushed a commit to sathishs/druid that referenced this pull request May 8, 2018
@jon-wei
Revert "Fix HTTP OPTIONS request auth handling (apache#5615)" (apache…
c3ecf46 
…#5637)

This reverts commit df51a7b.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gianm gianm gianm left review comments

+1 more reviewer

@mkuthan mkuthan mkuthan left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Bug Security

Projects

None yet

Milestone

0.12.1

Development

Successfully merging this pull request may close these issues.

4 participants

@jon-wei @mkuthan @fjy @gianm