Patroni REST API Authentication #1075
Comments
|
@epandurski - yes, this is a security risk, as it allows any third party to perform operations that can change cluster state. I'm working on raising a PR to use environment variables, but there is an intermediate workaround - set the SPILO_CONFIGURATION environment variable to This configuration will be merged with the spilo-generated patroni config on startup. It will not apply to read-only (safe) endpoints, but should protect unsafe POST requests. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I understand that the Patroni REST API is exposed on each
spilopod, at port 8008. Doesn't this pose a major security risk? It seem to me that every program running on the Kubernetes cluster could issue aPATCH /conifgrequest to this API, and mess up each database cluster. Is it possible to configure basic HTTP authentication for the Patroni REST API endpoints (as described here) ? If yes, how can I do this; and if not, isn't this a big security problem?The text was updated successfully, but these errors were encountered: