Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] api/status route bypasses authentication by default. #945

Closed
cliu123 opened this issue Apr 13, 2022 · 3 comments
Closed

[BUG] api/status route bypasses authentication by default. #945

cliu123 opened this issue Apr 13, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@cliu123
Copy link
Member

cliu123 commented Apr 13, 2022

What is the bug?
api/status route bypasses authentication by default. When security plugin is enabled, it should enforce authentication on the route.

How can one reproduce the bug?
Steps to reproduce the behavior:
Request without providing credentail has access to the route.

% curl http://localhost:5601/api/status
{"name":"osd","uuid":"2ca2173f-4264-4a52-8045-41a1019505a2","version":{"number":"2.0.0","build_hash":"920cd5e45d28784ebd6406e332d2275efecd6026","build_number":1901,"build_snapshot":false},"status":{"overall":{"since":"2022-04-12T22:42:21.996Z","state":"green","title":"Green","nickname":"Looking good","icon":"success","uiColor":"secondary"},"statuses":[{"id":"core:opensearch@2.0.0","message":"OpenSearch is available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"},{"id":"core:savedObjects@2.0.0","message":"SavedObjects service has completed migrations and is available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"},{"id":"plugin:advancedSettings@2.0.0","message":"All dependencies are available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"},{"id":"plugin:charts@2.0.0","message":"All dependencies are available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"},{"id":"plugin:bfetch@2.0.0","message":"All dependencies are available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"},{"id":"plugin:embeddable@2.0.0","message":"All dependencies are available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"},{"id":"plugin:discover@2.0.0","message":"All dependencies are available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"},{"id":"plugin:devTools@2.0.0","message":"All dependencies are available","since":"2022-04-12T22:42:21.996Z","state":"green","icon":"success","uiColor":"secondary"}

What is the expected behavior?
Request without providing credentail gets rejected.

% curl http://localhost:5601/api/status | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    77  100    77    0     0   9625      0 --:--:-- --:--:-- --:--:--  9625
{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Authentication required"
}

Only request with providing right credentail has access to the route.

% curl http://localhost:5601/api/status -u <user_credential> | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9239  100  9239    0     0   225k      0 --:--:-- --:--:-- --:--:--  231k
{
  "name": "osd",
  "uuid": "649d83d0-78b1-4d33-ba92-5b5b40c8a4d7",
  "version": {
    "number": "2.0.0",
    "build_hash": "920cd5e45d28784ebd6406e332d2275efecd6026",
    "build_number": 1901,
    "build_snapshot": false
  },
  "status": {
    "overall": {
      "since": "2022-04-13T00:03:07.656Z",
      "state": "green",
      "title": "Green",
      "nickname": "Looking good",
      "icon": "success",
      "uiColor": "secondary"
    },
@cliu123 cliu123 added bug Something isn't working untriaged labels Apr 13, 2022
@cliu123 cliu123 mentioned this issue Apr 13, 2022
Merged
2 tasks
@cliu123 cliu123 removed the untriaged label Apr 13, 2022
@cliu123
Copy link
Member Author

cliu123 commented Apr 15, 2022

Issue has been resovled with #943

@cliu123 cliu123 closed this as completed Apr 15, 2022
@cliu123 cliu123 reopened this Apr 25, 2022
@cliu123
Copy link
Member Author

cliu123 commented Apr 25, 2022

Re-opening this issue because #943 has been reverted from 2.0.0-rc1 and will be postponed to 2.0.0 GA release.

@cliu123 cliu123 mentioned this issue Apr 25, 2022
Merged
2 tasks
@cliu123
Copy link
Member Author

cliu123 commented Apr 26, 2022

Issue has been close with PR#968

@cliu123 cliu123 closed this as completed Apr 26, 2022
@cliu123 cliu123 mentioned this issue May 11, 2022
Open
@prudhvigodithi prudhvigodithi mentioned this issue Jun 20, 2022
Closed
@zhyuanqi zhyuanqi mentioned this issue May 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cliu123