mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
auth: disable CommonName auth for gRPC-gateway
Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
This commit is contained in:
parent
9c6b407e7d
commit
bf9d0d8291
@ -1166,6 +1166,27 @@ func (as *authStore) AuthInfoFromTLS(ctx context.Context) (ai *AuthInfo) {
|
|||||||
Username: chains[0].Subject.CommonName,
|
Username: chains[0].Subject.CommonName,
|
||||||
Revision: as.Revision(),
|
Revision: as.Revision(),
|
||||||
}
|
}
|
||||||
|
md, ok := metadata.FromIncomingContext(ctx)
|
||||||
|
if !ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// gRPC-gateway proxy request to etcd server includes Grpcgateway-Accept
|
||||||
|
// header. The proxy uses etcd client server certificate. If the certificate
|
||||||
|
// has a CommonName we should never use this for authentication.
|
||||||
|
if gw := md["grpcgateway-accept"]; len(gw) > 0 {
|
||||||
|
if as.lg != nil {
|
||||||
|
as.lg.Warn(
|
||||||
|
"ignoring common name in gRPC-gateway proxy request",
|
||||||
|
zap.String("common-name", ai.Username),
|
||||||
|
zap.String("user-name", ai.Username),
|
||||||
|
zap.Uint64("revision", ai.Revision),
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
plog.Warningf("ignoring common name in gRPC-gateway proxy request %s", ai.Username)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
if as.lg != nil {
|
if as.lg != nil {
|
||||||
as.lg.Debug(
|
as.lg.Debug(
|
||||||
"found command name",
|
"found command name",
|
||||||
|
Loading…
x
Reference in New Issue
Block a user