Tidb: Users can access data via HTTP API without any authentication

Created on 15 Mar 2020  路  3Comments  路  Source: pingcap/tidb

According to tidb-ctl documentation https://github.com/pingcap/tidb-ctl/blob/master/doc/tidb-ctl.md, users can access data via tidb-server HTTP API without authentication. This is a security vulnerability.

If users expose TiDB HTTP API unintentionally, or even internal non-authorized users can access TiDB data without requiring TiDB's user and password.

CockroachDB has the same issue but fixed in newer versions https://www.cockroachlabs.com/docs/advisories/a42567.html

We might need to fix this too.

security
Source
picture tennix

Most helpful comment

@tennix after https://github.com/pingcap/tidb/pull/15137, http ap user(include tidb-ctl) must provide cert/key and acess https after using cluster-allow-cn

picture lysu on 16 Mar 2020
🚀11 🎉1 👍1

All 3 comments

@tennix after https://github.com/pingcap/tidb/pull/15137, http ap user(include tidb-ctl) must provide cert/key and acess https after using cluster-allow-cn

lysu picture lysu on 16 Mar 2020
🚀11 🎉1 👍1

@tennix @lysu you forgot to close this issue after merge :)

frank-dspeed picture frank-dspeed on 20 Mar 2020

Thanks @frank-dspeed :smile: , I had discussed more about this with @tennix offline, after #15137 we could solve a part of the problem when the user enable HTTPS, but maybe need more improvement to keep safe for user that didn't enable https or do more fine-grain control in http api later

lysu picture lysu on 22 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zz-jason picture zz-jason  路  3Comments
tsthght picture tsthght  路  3Comments
francis0407 picture francis0407  路  3Comments
winoros picture winoros  路  3Comments
breeswish picture breeswish  路  3Comments