From 1f70db618b07655cf6f1098057cb711502bf9b29 Mon Sep 17 00:00:00 2001 From: 145425491 <1245294786@qq.com> Date: Mon, 8 Jul 2024 23:12:47 +0800 Subject: [PATCH 1/7] fix: warn user to update or change the default jwt value --- content/cn/docs/config/config-authentication.md | 9 +++++++++ content/en/docs/config/config-authentication.md | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/content/cn/docs/config/config-authentication.md b/content/cn/docs/config/config-authentication.md index beb56cbc4..5835f753b 100644 --- a/content/cn/docs/config/config-authentication.md +++ b/content/cn/docs/config/config-authentication.md @@ -36,7 +36,16 @@ GET http://localhost:8080/graphs/hugegraph/schema/vertexlabels Authorization: Basic admin xxxx ``` +**警告**:在1.5.0之前版本的HugeGraph在`StandardAuthenticator`模式下存在JWT相关的安全隐患,请使用者更新版本或自行设置JWT token的secreKey。修改的具体方法可以在配置文件`rest-server.properties`中配置`auth.token_secret`信息: + +```properties +auth.token_secret=XXXX #这里为32位String +``` + + + #### StandardAuthenticator 模式 + `StandardAuthenticator`模式是通过在数据库后端存储用户信息来支持用户认证和权限控制,该实现基于数据库存储的用户的名称与密码进行认证(密码已被加密),基于用户的角色来细粒度控制用户权限。下面是具体的配置流程(重启服务生效): 在配置文件`gremlin-server.yaml`中配置`authenticator`及其`rest-server`文件路径: diff --git a/content/en/docs/config/config-authentication.md b/content/en/docs/config/config-authentication.md index 64aed02a7..d91f79b45 100644 --- a/content/en/docs/config/config-authentication.md +++ b/content/en/docs/config/config-authentication.md @@ -37,7 +37,16 @@ GET http://localhost:8080/graphs/hugegraph/schema/vertexlabels Authorization: Basic admin xxxx ``` +**Warning**: Versions of HugeGraph prior to 1.5.0 have a JWT-related security vulnerability in the StandardAuthenticator mode. Users are advised to update to a newer version or manually set the JWT token's secretKey. The specific method for modification can be configured in the `rest-server.properties` file by setting the `auth.token_secret` information: + +```properties +auth.token_secret=XXXX # it should be a 32-character String +``` + + + #### StandardAuthenticator Mode + The `StandardAuthenticator` mode supports user authentication and permission control by storing user information in the database backend. This implementation authenticates users based on their names and passwords (encrypted) stored in the database and controls user permissions based on their roles. Below is the specific configuration process (requires service restart): From 5f9573ebf27be040d0a352e463ce0ab4dd3d524d Mon Sep 17 00:00:00 2001 From: 145425491 <1245294786@qq.com> Date: Wed, 10 Jul 2024 12:13:01 +0800 Subject: [PATCH 2/7] fix: correct the format of warning --- .../cn/docs/config/config-authentication.md | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/content/cn/docs/config/config-authentication.md b/content/cn/docs/config/config-authentication.md index 5835f753b..52d9c01f4 100644 --- a/content/cn/docs/config/config-authentication.md +++ b/content/cn/docs/config/config-authentication.md @@ -10,6 +10,7 @@ HugeGraph 为了方便不同用户场景下的鉴权使用,目前内置了完 以及细粒度的权限访问控制,采用基于“用户 - 用户组 - 操作 - 资源”的 4 层设计,灵活控制用户角色与权限 (支持多 GraphServer) `StandardAuthenticator` 模式的几个核心设计: + - 初始化时创建超级管理员 (`admin`) 用户,后续通过超级管理员创建其它用户,新创建的用户被分配足够权限后,可以创建或管理更多的用户 - 支持动态创建用户、用户组、资源,支持动态分配或取消权限 - 用户可以属于一个或多个用户组,每个用户组可以拥有对任意个资源的操作权限,操作类型包括:读、写、删除、执行等种类 @@ -19,12 +20,20 @@ HugeGraph 为了方便不同用户场景下的鉴权使用,目前内置了完 ```java // 场景:某用户只有北京地区的数据读取权限 -user(name=xx) -belong-> group(name=xx) -access(read)-> target(graph=graph1, resource={label: person, city: Beijing}) +user(name=xx) -belong-> + +group(name=xx) - + +access(read)-> + +target(graph=graph1, resource= { + person, city:Beijing +}) ``` ### 配置用户认证 -HugeGraph 目前默认**未启用**用户认证功能,需通过修改配置文件来启用该功能。(Note: 如果在生产环境/外网使用, +HugeGraph 目前默认**未启用**用户认证功能,需通过修改配置文件来启用该功能。(Note: 如果在生产环境/外网使用, 请使用 **Java11** 版本 + 开启权限避免安全相关隐患) 目前已内置实现了`StandardAuthenticator`模式,该模式支持多用户认证与细粒度权限控制。此外,开发者可以自定义实现`HugeAuthenticator`接口来对接自身的权限系统。 @@ -36,14 +45,12 @@ GET http://localhost:8080/graphs/hugegraph/schema/vertexlabels Authorization: Basic admin xxxx ``` -**警告**:在1.5.0之前版本的HugeGraph在`StandardAuthenticator`模式下存在JWT相关的安全隐患,请使用者更新版本或自行设置JWT token的secreKey。修改的具体方法可以在配置文件`rest-server.properties`中配置`auth.token_secret`信息: +**警告**:在 1.5.0 之前版本的 HugeGraph 在`StandardAuthenticator`模式下存在 JWT 相关的安全隐患,请使用者更新版本或自行设置 JWT token 的 secretKey。修改的具体方法可以在配置文件`rest-server.properties`中配置`auth.token_secret`信息: ```properties -auth.token_secret=XXXX #这里为32位String +auth.token_secret=XXXX #这里为 32 位 String ``` - - #### StandardAuthenticator 模式 `StandardAuthenticator`模式是通过在数据库后端存储用户信息来支持用户认证和权限控制,该实现基于数据库存储的用户的名称与密码进行认证(密码已被加密),基于用户的角色来细粒度控制用户权限。下面是具体的配置流程(重启服务生效): @@ -68,6 +75,7 @@ auth.graph_store=hugegraph # 如果是分开部署 GraphServer 和 AuthServer,还需要指定下面的配置,地址填写 AuthServer 的 IP:RPC 端口 #auth.remote_url=127.0.0.1:8899,127.0.0.1:8898,127.0.0.1:8897 ``` + 其中,`graph_store`配置项是指使用哪一个图来存储用户信息,如果存在多个图的话,选取任意一个均可。 在配置文件`hugegraph{n}.properties`中配置`gremlin.graph`信息: @@ -82,13 +90,12 @@ gremlin.graph=org.apache.hugegraph.auth.HugeFactoryAuthProxy 如果需要支持更加灵活的用户系统,可自定义 authenticator 进行扩展,自定义 authenticator 实现接口`org.apache.hugegraph.auth.HugeAuthenticator`即可,然后修改配置文件中`authenticator`配置项指向该实现。 - ### 基于鉴权模式启动 在鉴权配置完成后,需在首次执行 `init-store.sh` 时命令行中输入 `admin` 密码 (非 docker 部署模式下) -如果基于 docker 镜像部署或者已经初始化 HugeGraph 并需要转换为鉴权模式,需要删除相关图数据并重新启动 HugeGraph, 若图已有业务数据,暂时**无法直接转换**鉴权模式 (hugegraph 版本 <= 1.2.0) -> 对于该功能的改进已经在最新版本发布 (Docker latest 可用),可参考 [PR 2411](https://github.com/apache/incubator-hugegraph/pull/2411), 此时可无缝切换。 +如果基于 docker 镜像部署或者已经初始化 HugeGraph 并需要转换为鉴权模式,需要删除相关图数据并重新启动 HugeGraph, 若图已有业务数据,暂时**无法直接转换**鉴权模式 (hugegraph 版本 <= 1.2.0) +> 对于该功能的改进已经在最新版本发布 (Docker latest 可用),可参考 [PR 2411](https://github.com/apache/incubator-hugegraph/pull/2411), 此时可无缝切换。 ```bash # stop the hugeGraph firstly From 6cf7a38f47c75b0a3d7a65152fc4c2eb342fc73d Mon Sep 17 00:00:00 2001 From: 145425491 <1245294786@qq.com> Date: Wed, 10 Jul 2024 12:27:59 +0800 Subject: [PATCH 3/7] fix: recorrect the format of warning --- .../cn/docs/config/config-authentication.md | 18 ++++-------------- .../en/docs/config/config-authentication.md | 3 --- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/content/cn/docs/config/config-authentication.md b/content/cn/docs/config/config-authentication.md index 52d9c01f4..b0f053175 100644 --- a/content/cn/docs/config/config-authentication.md +++ b/content/cn/docs/config/config-authentication.md @@ -10,7 +10,6 @@ HugeGraph 为了方便不同用户场景下的鉴权使用,目前内置了完 以及细粒度的权限访问控制,采用基于“用户 - 用户组 - 操作 - 资源”的 4 层设计,灵活控制用户角色与权限 (支持多 GraphServer) `StandardAuthenticator` 模式的几个核心设计: - - 初始化时创建超级管理员 (`admin`) 用户,后续通过超级管理员创建其它用户,新创建的用户被分配足够权限后,可以创建或管理更多的用户 - 支持动态创建用户、用户组、资源,支持动态分配或取消权限 - 用户可以属于一个或多个用户组,每个用户组可以拥有对任意个资源的操作权限,操作类型包括:读、写、删除、执行等种类 @@ -20,20 +19,12 @@ HugeGraph 为了方便不同用户场景下的鉴权使用,目前内置了完 ```java // 场景:某用户只有北京地区的数据读取权限 -user(name=xx) -belong-> - -group(name=xx) - - -access(read)-> - -target(graph=graph1, resource= { - person, city:Beijing -}) +user(name=xx) -belong-> group(name=xx) -access(read)-> target(graph=graph1, resource={label: person, city: Beijing}) ``` ### 配置用户认证 -HugeGraph 目前默认**未启用**用户认证功能,需通过修改配置文件来启用该功能。(Note: 如果在生产环境/外网使用, +HugeGraph 目前默认**未启用**用户认证功能,需通过修改配置文件来启用该功能。(Note: 如果在生产环境/外网使用, 请使用 **Java11** 版本 + 开启权限避免安全相关隐患) 目前已内置实现了`StandardAuthenticator`模式,该模式支持多用户认证与细粒度权限控制。此外,开发者可以自定义实现`HugeAuthenticator`接口来对接自身的权限系统。 @@ -52,7 +43,6 @@ auth.token_secret=XXXX #这里为 32 位 String ``` #### StandardAuthenticator 模式 - `StandardAuthenticator`模式是通过在数据库后端存储用户信息来支持用户认证和权限控制,该实现基于数据库存储的用户的名称与密码进行认证(密码已被加密),基于用户的角色来细粒度控制用户权限。下面是具体的配置流程(重启服务生效): 在配置文件`gremlin-server.yaml`中配置`authenticator`及其`rest-server`文件路径: @@ -94,8 +84,8 @@ gremlin.graph=org.apache.hugegraph.auth.HugeFactoryAuthProxy 在鉴权配置完成后,需在首次执行 `init-store.sh` 时命令行中输入 `admin` 密码 (非 docker 部署模式下) -如果基于 docker 镜像部署或者已经初始化 HugeGraph 并需要转换为鉴权模式,需要删除相关图数据并重新启动 HugeGraph, 若图已有业务数据,暂时**无法直接转换**鉴权模式 (hugegraph 版本 <= 1.2.0) -> 对于该功能的改进已经在最新版本发布 (Docker latest 可用),可参考 [PR 2411](https://github.com/apache/incubator-hugegraph/pull/2411), 此时可无缝切换。 +如果基于 docker 镜像部署或者已经初始化 HugeGraph 并需要转换为鉴权模式,需要删除相关图数据并重新启动 HugeGraph, 若图已有业务数据,暂时**无法直接转换**鉴权模式 (hugegraph 版本 <= 1.2.0) +> 对于该功能的改进已经在最新版本发布 (Docker latest 可用),可参考 [PR 2411](https://github.com/apache/incubator-hugegraph/pull/2411), 此时可无缝切换。 ```bash # stop the hugeGraph firstly diff --git a/content/en/docs/config/config-authentication.md b/content/en/docs/config/config-authentication.md index d91f79b45..b62cf924d 100644 --- a/content/en/docs/config/config-authentication.md +++ b/content/en/docs/config/config-authentication.md @@ -43,10 +43,7 @@ Authorization: Basic admin xxxx auth.token_secret=XXXX # it should be a 32-character String ``` - - #### StandardAuthenticator Mode - The `StandardAuthenticator` mode supports user authentication and permission control by storing user information in the database backend. This implementation authenticates users based on their names and passwords (encrypted) stored in the database and controls user permissions based on their roles. Below is the specific configuration process (requires service restart): From 375c2d450bbd542e92f063769bf1f18331c935df Mon Sep 17 00:00:00 2001 From: 145425491 <1245294786@qq.com> Date: Wed, 10 Jul 2024 21:08:54 +0800 Subject: [PATCH 4/7] fix: generate a random string using linux command --- content/cn/docs/config/config-authentication.md | 7 +++++++ content/en/docs/config/config-authentication.md | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/content/cn/docs/config/config-authentication.md b/content/cn/docs/config/config-authentication.md index b0f053175..9468c773d 100644 --- a/content/cn/docs/config/config-authentication.md +++ b/content/cn/docs/config/config-authentication.md @@ -42,6 +42,13 @@ Authorization: Basic admin xxxx auth.token_secret=XXXX #这里为 32 位 String ``` +也可以通过下面的命令实现: + +```shell +RANDOM_STRING=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) +echo "auth.token_secret=${RANDOM_STRING}" >> rest-server.properties +``` + #### StandardAuthenticator 模式 `StandardAuthenticator`模式是通过在数据库后端存储用户信息来支持用户认证和权限控制,该实现基于数据库存储的用户的名称与密码进行认证(密码已被加密),基于用户的角色来细粒度控制用户权限。下面是具体的配置流程(重启服务生效): diff --git a/content/en/docs/config/config-authentication.md b/content/en/docs/config/config-authentication.md index b62cf924d..c4eac523d 100644 --- a/content/en/docs/config/config-authentication.md +++ b/content/en/docs/config/config-authentication.md @@ -43,6 +43,13 @@ Authorization: Basic admin xxxx auth.token_secret=XXXX # it should be a 32-character String ``` +It can also be achieved with the following command: + +```shell +RANDOM_STRING=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) +echo "auth.token_secret=${RANDOM_STRING}" >> rest-server.properties +``` + #### StandardAuthenticator Mode The `StandardAuthenticator` mode supports user authentication and permission control by storing user information in the database backend. This implementation authenticates users based on their names and passwords (encrypted) stored in the database and controls user permissions based on their From c54f457f5836266b945c66debb67a1467b902777 Mon Sep 17 00:00:00 2001 From: 145425491 <1245294786@qq.com> Date: Thu, 11 Jul 2024 09:40:30 +0800 Subject: [PATCH 5/7] chore: add the format of string --- content/cn/docs/config/config-authentication.md | 2 +- content/en/docs/config/config-authentication.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/cn/docs/config/config-authentication.md b/content/cn/docs/config/config-authentication.md index 9468c773d..e50029068 100644 --- a/content/cn/docs/config/config-authentication.md +++ b/content/cn/docs/config/config-authentication.md @@ -39,7 +39,7 @@ Authorization: Basic admin xxxx **警告**:在 1.5.0 之前版本的 HugeGraph 在`StandardAuthenticator`模式下存在 JWT 相关的安全隐患,请使用者更新版本或自行设置 JWT token 的 secretKey。修改的具体方法可以在配置文件`rest-server.properties`中配置`auth.token_secret`信息: ```properties -auth.token_secret=XXXX #这里为 32 位 String +auth.token_secret=XXXX #这里为 32 位 String,由 a-z,A-Z 和 0-9 组成 ``` 也可以通过下面的命令实现: diff --git a/content/en/docs/config/config-authentication.md b/content/en/docs/config/config-authentication.md index c4eac523d..91d2158be 100644 --- a/content/en/docs/config/config-authentication.md +++ b/content/en/docs/config/config-authentication.md @@ -40,7 +40,7 @@ Authorization: Basic admin xxxx **Warning**: Versions of HugeGraph prior to 1.5.0 have a JWT-related security vulnerability in the StandardAuthenticator mode. Users are advised to update to a newer version or manually set the JWT token's secretKey. The specific method for modification can be configured in the `rest-server.properties` file by setting the `auth.token_secret` information: ```properties -auth.token_secret=XXXX # it should be a 32-character String +auth.token_secret=XXXX # it should be a 32-character String, consist of A-Z, a-z and 0-9 ``` It can also be achieved with the following command: From bddefb87d6c0cfed3757b792594d6beb011af7a7 Mon Sep 17 00:00:00 2001 From: imbajin Date: Thu, 11 Jul 2024 15:10:11 +0800 Subject: [PATCH 6/7] Update config-authentication.md --- content/cn/docs/config/config-authentication.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/cn/docs/config/config-authentication.md b/content/cn/docs/config/config-authentication.md index e50029068..ac50e2337 100644 --- a/content/cn/docs/config/config-authentication.md +++ b/content/cn/docs/config/config-authentication.md @@ -36,7 +36,9 @@ GET http://localhost:8080/graphs/hugegraph/schema/vertexlabels Authorization: Basic admin xxxx ``` -**警告**:在 1.5.0 之前版本的 HugeGraph 在`StandardAuthenticator`模式下存在 JWT 相关的安全隐患,请使用者更新版本或自行设置 JWT token 的 secretKey。修改的具体方法可以在配置文件`rest-server.properties`中配置`auth.token_secret`信息: +**警告**:在 1.5.0 之前版本的 HugeGraph-Server 在鉴权模式下存在 JWT 相关的安全隐患,请务必使用新版本或自行修改 JWT token 的 secretKey。 + +修改方式为在配置文件`rest-server.properties`中重写`auth.token_secret`信息:(1.5.0 后会默认生成随机值则无需配置) ```properties auth.token_secret=XXXX #这里为 32 位 String,由 a-z,A-Z 和 0-9 组成 From 2fe613f8e359c6f9f1cc16ca5708573f9d9fd005 Mon Sep 17 00:00:00 2001 From: imbajin Date: Thu, 11 Jul 2024 15:26:46 +0800 Subject: [PATCH 7/7] Update config-authentication.md --- content/en/docs/config/config-authentication.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/en/docs/config/config-authentication.md b/content/en/docs/config/config-authentication.md index 91d2158be..9d4c1822e 100644 --- a/content/en/docs/config/config-authentication.md +++ b/content/en/docs/config/config-authentication.md @@ -37,13 +37,14 @@ GET http://localhost:8080/graphs/hugegraph/schema/vertexlabels Authorization: Basic admin xxxx ``` -**Warning**: Versions of HugeGraph prior to 1.5.0 have a JWT-related security vulnerability in the StandardAuthenticator mode. Users are advised to update to a newer version or manually set the JWT token's secretKey. The specific method for modification can be configured in the `rest-server.properties` file by setting the `auth.token_secret` information: +**Warning**: Versions of HugeGraph-Server prior to 1.5.0 have a JWT-related security vulnerability in the Auth mode. +Users are advised to update to a newer version or manually set the JWT token's secretKey. It can be set in the `rest-server.properties` file by setting the `auth.token_secret` information: ```properties -auth.token_secret=XXXX # it should be a 32-character String, consist of A-Z, a-z and 0-9 +auth.token_secret=XXXX # should be a 32-chars string, consist of A-Z, a-z and 0-9 ``` -It can also be achieved with the following command: +You can also generate it with the following command: ```shell RANDOM_STRING=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)