Introduce access control for http restful API - Githubissues

pingcap / tidb

TiDB is an open-source, cloud-native, distributed, MySQL-Compatible database for elastic scale and real-time analytics. Try AI-powered Chat2Query free at : https://www.pingcap.com/tidb-serverless/

https://pingcap.com

Apache License 2.0

36.65k stars 5.77k forks source link

Introduce access control for http restful API #48336

Open zhangjinpeng87 opened 8 months ago

zhangjinpeng87 commented 8 months ago

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

Using API like "curl http://{TiDBIP}:10080/db-table/{tableID}" "curl http://{TiDBIP}:10080/mvcc/key/{db}/{table}/{handle}" can walk around the access control system of TiDB and grab table's data.

2. What did you expect to see? (Required)

Grab table information by API need an authentication process to prevent malicious API calling.

3. What did you see instead (Required)

Using API like "curl http://{TiDBIP}:10080/db-table/{tableID}" "curl http://{TiDBIP}:10080/mvcc/key/{db}/{table}/{handle}" can walk around the access control system of TiDB and grab table's data.

4. What is your TiDB version? (Required)

All versions.

breezewish commented 8 months ago

How about assigning mTLS certificate in the config?