sonic-net / sonic-gnmi

SONiC gNMI server and gNOI repo
Other
22 stars 52 forks source link

GNMI has no authentication enforced for telemetry container #125

Closed ScKris closed 8 months ago

ScKris commented 1 year ago

When I'm trying to use 'gnmic get' to pull the telemetry data, any passwords can be accepted. This would be security issue for this when deploying the service. Please check, thanks!

Below is the output from the server to do the 'gnmic get',

gnmic   -a  x.x.x.x:8080  --insecure get  --path /openconfig-interfaces:interfaces/interface[name=Ethernet0]/state/counters --target OC-YANG --username admin
password: <any passwords>
[
  {
    "timestamp": 1687156144574200730,
    "time": "2023-06-19T02:29:04.57420073-04:00",
    "target": "OC-YANG",
    "updates": [
      {
        "Path": "openconfig-interfaces:interfaces/interface[name=Ethernet0]/state/counters",
        "values": {
          "openconfig-interfaces:interfaces/interface/state/counters": {
            "openconfig-interfaces:counters": {
              "in-broadcast-pkts": "52",
              "in-discards": "26128",
              "in-errors": "0",
              "in-multicast-pkts": "26128",
              "in-octets": "14135546",
              "in-pkts": "40611",
              "in-unicast-pkts": "14431",
              "out-broadcast-pkts": "64353",
              "out-discards": "6",
              "out-errors": "0",
              "out-multicast-pkts": "152685",
              "out-octets": "29935321",
              "out-pkts": "221167",
              "out-unicast-pkts": "4129"
            }
          }
        }
      }
    ]
  }
]
sneelam20 commented 8 months ago

This is by design. UMF comes up in an insecure mode by default. Turning on authentication is tracked by issue 185.