feat(admin): Implement admin_nopass flag (#1193)

Signed-off-by: darkonion <pawkapl89@gmail.com>

CONTRIBUTORS.md

@@ -5,6 +5,7 @@
   * Helm Chart
 * **[Meng Chen](https://github.com/matchyc)**
 * **[Yuxuan Chen](https://github.com/YuxuanChen98)**
+* **[Pawel Kaplinski](https://github.com/pawelKapl)**
 * **[Redha Lhimeur](https://github.com/redhal)**
 * **[Braydn Moore](https://github.com/braydnm)**
 * **[Logan Raarup](https://github.com/logandk)**

README.md

@@ -110,6 +110,7 @@ There are also some Dragonfly-specific arguments:
  * `primary_port_http_enabled`: Allows accessing HTTP console on main TCP port if `true` (`default: true`).
  * `admin_port`: To enable admin access to the console on the assigned port (`default: disabled`). Supports both HTTP and RESP protocols.
  * `admin_bind`: To bind the admin console TCP connection to a given address (`default: any`). Supports both HTTP and RESP protocols.
+ * `admin_nopass`: To enable open admin access to console on the assigned port, without auth token needed (`default: false`). Supports both HTTP and RESP protocols.
  * `cluster_mode`: Cluster mode supported (`default: ""`). Currently supports only `emulated`.
  * `cluster_announce_ip`: The IP that cluster commands announce to the client.
 

README.zh-CN.md

@@ -119,6 +119,8 @@ Dragonfly 支持 Redis 的常见参数。
 
 * `admin_bind`：如果设置，将管理控制台 TCP 连接绑定到给定地址。支持 HTTP 和 RESP 协议。默认为any。
 
+* `admin_nopass`: 将管理控制台 TCP 连接绑定到给定地址。同时支持 HTTP 和 RESP 协议。
+
 * `cluster_mode`：支持集群模式。目前仅支持 `emulated`。默认为空`""`。
 
 * `cluster_announce_ip`：集群模式下向客户端公开的 IP。

src/facade/dragonfly_connection.cc

@@ -424,17 +424,19 @@ uint32_t Connection::GetClientId() const {
   return id_;
 }
 
+bool Connection::IsAdmin() const {
+  auto* lsb = static_cast<LinuxSocketBase*>(socket_.get());
+  uint16_t admin_port = absl::GetFlag(FLAGS_admin_port);
+  return lsb->LocalEndpoint().port() == admin_port;
+}
+
 io::Result<bool> Connection::CheckForHttpProto(FiberSocketBase* peer) {
-  bool enabled = absl::GetFlag(FLAGS_primary_port_http_enabled);
-  if (!enabled) {
-    uint16_t admin_port = absl::GetFlag(FLAGS_admin_port);
-    // check if this connection is from the admin port, if so, override primary_port_http_enabled
-    LinuxSocketBase* lsb = static_cast<LinuxSocketBase*>(socket_.get());
-    enabled = lsb->LocalEndpoint().port() == admin_port;
-  }
-  if (!enabled) {
+  bool primary_port_enabled = absl::GetFlag(FLAGS_primary_port_http_enabled);
+  bool admin = IsAdmin();
+  if (!primary_port_enabled && !admin) {
     return false;
   }
+
   size_t last_len = 0;
   do {
     auto buf = io_buf_.AppendBuffer();

src/facade/dragonfly_connection.h

@@ -155,6 +155,7 @@ class Connection : public util::Connection {
   std::string RemoteEndpointAddress() const;
   std::string LocalBindAddress() const;
   uint32_t GetClientId() const;
+  bool IsAdmin() const;
 
   Protocol protocol() const {
     return protocol_;

src/server/main_service.cc

@@ -59,6 +59,10 @@ ABSL_FLAG(bool, multi_exec_squash, true,
 
 ABSL_FLAG(uint32_t, multi_eval_squash_buffer, 4_KB, "Max buffer for squashed commands per script");
 
+ABSL_FLAG(bool, admin_nopass, false,
+          "If set, would enable open admin access to console on the assigned port, without auth "
+          "token needed.");
+
 namespace dfly {
 
 #if __GLIBC__ == 2 && __GLIBC_MINOR__ < 30
@@ -931,10 +935,19 @@ void Service::DispatchMC(const MemcacheParser::Command& cmd, std::string_view va
   dfly_cntx->conn_state.memcache_flag = 0;
 }
 
+bool RequireAdminAuth() {
+  return !GetFlag(FLAGS_admin_nopass);
+}
+
 facade::ConnectionContext* Service::CreateContext(util::FiberSocketBase* peer,
                                                   facade::Connection* owner) {
   ConnectionContext* res = new ConnectionContext{peer, owner};
-  res->req_auth = !GetPassword().empty();
+
+  if (owner->IsAdmin() && !RequireAdminAuth()) {
+    res->req_auth = false;
+  } else {
+    res->req_auth = !GetPassword().empty();
+  }
 
   // a bit of a hack. I set up breaker callback here for the owner.
   // Should work though it's confusing to have it here.