Require authentication to visit API browser #18328
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, the API browser could be accessed without any restrictions. A user only had to provide credentials when executing API requests through the API browser, which required an authenticated user to succeed.
With this change, a user has to log in before visiting the API browser. It is sufficient to log in with any user known to Graylog. No particular permissions are required.
The username/password field has been removed from the header of the API browser because a valid user is now required. If users want to perform API requests with different credentials, they now have to log out of Graylog and re-login again with a different user.
When users navigate to the API browser at
/api/api-browser(or the cluster-global version) directly, without first logging into Graylog, they will be presented with a Basic Auth credentials prompt. This isn't very nice, but I didn't deem replacing this with a proper redirect to the login page worthwhile because that would entail additional changes. We should move away from our customised API browser anyway, so I didn't want to invest energy here.