search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.11k stars 5.47k forks source link

[BUG] salt-api reaches maximum memory when using REST CherryPY #60955

Open phatt-ngo opened 3 years ago

phatt-ngo commented 3 years ago

Description REST CherryPy appends default permisions every request that make the returned JSON keep increasing until reach maximum memory.

Setup In /srv/configs/master/api.conf

rest_cherrypy:
  port: 8000
  root_prefix: /api/
  disable_ssl: True
  socket_queue_size: 100
  thread_pool: 200
  collect_stats: True

In /srv/configs/master/auth.conf

external_auth:
  rest:
    ^url: https://rest_auth_endpoint.com
    # Test permissions
    'test@example.com':
      - centOS-*:
        - cmd.run_all
        - 'cp.get_url':
            kwargs:
              'path': 'https://example.com/.*'
    # Default permissions
    '*':
      - default-*:
        - grains.items
        - test.ping
        - test.arg
        - status.uptime
        - cmd.run_all
        - cmd.script:
            kwargs:
              'source': 'https://google.com/.*'

Steps to Reproduce the behavior Run curl to send request to /api

curl -X POST http://127.0.0.1:8000/api/login -H "Content-Type: application/json" -d '{"eauth":"rest","username":"test@example.com","password":"ac230fc3-cf42-4b04-a00b-de1ca906a830"}'

Returned JSON keeps appending the default permissions.

{
  "return": [
    {
      "token": "752a9004db630b48a314fc68e1fbe2c23e00c9dd",
      "expire": 1629491964.8055215,
      "start": 1629448764.8055215,
      "user": "test@example.com",
      "eauth": "rest",
      "perms": [
        {
          "centOS-*": [
            "cmd.run_all",
            {
              "cp.get_url": {
                "kwargs": {
                  "path": "https://example.com/.*"
                }
              }
            }
          ]
        },
        {
          "default-*": [
            "grains.items",
            "test.ping",
            "test.arg",
            "status.uptime",
            "cmd.run_all",
            {
              "cmd.script": {
                "kwargs": {
                  "source": "https://google.com/.*"
                }
              }
            }
          ]
        },
        {
          "default-*": [
            "grains.items",
            "test.ping",
            "test.arg",
            "status.uptime",
            "cmd.run_all",
            {
              "cmd.script": {
                "kwargs": {
                  "source": "https://google.com/.*"
                }
              }
            }
          ]
        },
        {
          "default-*": [
            "grains.items",
            "test.ping",
            "test.arg",
            "status.uptime",
            "cmd.run_all",
            {
              "cmd.script": {
                "kwargs": {
                  "source": "https://google.com/.*"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Expected behavior Returned JSON should be only user's permissions + default permission for subsequent requests.

{
  "return": [
    {
      "token": "752a9004db630b48a314fc68e1fbe2c23e00c9dd",
      "expire": 1629491964.8055215,
      "start": 1629448764.8055215,
      "user": "test@example.com",
      "eauth": "rest",
      "perms": [
        {
          "centOS-*": [
            "cmd.run_all",
            {
              "cp.get_url": {
                "kwargs": {
                  "path": "https://example.com/.*"
                }
              }
            }
          ]
        },
        {
          "default-*": [
            "grains.items",
            "test.ping",
            "test.arg",
            "status.uptime",
            "cmd.run_all",
            {
              "cmd.script": {
                "kwargs": {
                  "source": "https://google.com/.*"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Versions Report

Salt Version:
          Salt: 3002.7

Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
      dateutil: 2.7.3
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 2.10
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 0.5.6
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.20
      pycrypto: 2.6.1
  pycryptodome: 3.6.1
        pygit2: Not Installed
        Python: 3.7.3 (default, Jan 22 2021, 20:04:44)
  python-gnupg: Not Installed
        PyYAML: 3.13
         PyZMQ: 17.1.2
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.1

System Versions:
          dist: debian 10 buster
        locale: utf-8
       machine: x86_64
       release: 4.14.231-173.361.amzn2.x86_64
        system: Linux
       version: Debian GNU/Linux 10 buster
welcome[bot] commented 3 years ago

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!