Basic-auth plugin in hybrid mode

Questions
1

Hello,

I have been trying to make basic-auth plugin work in hybrid mode, but when I try to create consumer credentials, changes on control plane are not propagated to data plane. According to this post it should work for auth plugins, and for key-auth it actually works fine. Is this intended behavior or some bug in basic-auth plugin?

I also tried to investigate more, so I setup one control plane (listening on port 8001) and one data plane (listening on port 9000) in my Docker. Here is how it works for key-auth, for existing consumer ‘test’:

curl localhost:8001/clustering/status
{"c956b2d0-5d1a-4cdf-8992-0763149df8dc":{"config_hash":"68a2099d90bb1bfec1362d5920952f64","last_seen":1583159538,"ip":"172.28.5.3","hostname":"kong-data"}}

curl -X POST 'http://localhost:8001/consumers/test/key-auth' -d ''
{"created_at":1583160238,"consumer":{"id":"68c4ef68-e64c-4384-a0b8-96912d58491d"},"id":"7af52e05-118e-4ad4-940a-28993e61b1ba","tags":null,"ttl":null,"key":"grk2YYBr50X83pkUwyZQHISQGERn7hIe"}

curl localhost:8001/clustering/status
{"c956b2d0-5d1a-4cdf-8992-0763149df8dc":{"config_hash":"a0a938d314785f64b91bb3301780bd18","last_seen":1583160258,"ip":"172.28.5.3","hostname":"kong-data"}}

Note that config hash has been changed, data-plane receives updated credentials and new API key is working.

When I try the same for basic-auth, it works as follow:

curl -X POST 'http://localhost:8001/consumers/test/basic-auth' \
    --header 'Content-Type: application/json' \
    --data-raw '{"username": "aaaa", "password": "def"}'

{"created_at":1583159636,"consumer":{"id":"68c4ef68-e64c-4384-a0b8-96912d58491d"},"id":"4337ab72-edfa-4527-8e8d-e22a81ff43c7","tags":null,"password":"cea2ed8678b20aece1b52d1efd213f7dd1f2629f","username":"aaaa"}


curl localhost:8001/clustering/status
{"c956b2d0-5d1a-4cdf-8992-0763149df8dc":{"config_hash":"a0a938d314785f64b91bb3301780bd18","last_seen":1583160258,"ip":"172.28.5.3","hostname":"kong-data"}}

Config hash is NOT changed and credentials are not propagated to data plane.

2

OK I have find out where the issue is. In basic-auth/daos.lua, db_export parameter is set to false. Although it is primarily used for CLI kong config db_export, apparently this mechanism is also used in propagating changes to data plane. By setting this parameter to true, changes in credentials are propagated to data plane. There is still one catch though, as the data plane receives hash of the password and when storing it in cache, it is hashed once again (see daos.lua, transformation section).

I see two possible solutions to this:

  • store passwords in basic-auth in plain text (which is security risk, but e.g. OAuth secrets are stored in plain as well)
  • do not hash passwords on data plane when getting config from control plane (this requires slight difference in code for data and control planes, but in data plane hash is enough to check the credentials).

Anyway, it worked for me eventually so this can be marked as solved.

3

This is a bug. Can you please open a new bug at https://github.com/kong/kong/issues

4

Thank you for confirming this. Raised as https://github.com/Kong/kong/issues/5649