From 93ca19557c2b1fd3d0126b0e1e0022688ce6c489 Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 13:49:27 -0400 Subject: [PATCH 01/10] can get the parameter Signed-off-by: Keran Yang --- .../namespaced-numaflow-server.yaml | 1 + server/cmd/start.go | 1 + server/routes/routes.go | 20 ++++++++++--------- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/config/advanced-install/namespaced-numaflow-server.yaml b/config/advanced-install/namespaced-numaflow-server.yaml index 199f0525aa..ca3a043fca 100644 --- a/config/advanced-install/namespaced-numaflow-server.yaml +++ b/config/advanced-install/namespaced-numaflow-server.yaml @@ -106,6 +106,7 @@ spec: containers: - args: - server + - --disable-auth=true - --namespaced env: - name: NAMESPACE diff --git a/server/cmd/start.go b/server/cmd/start.go index 839de35fcb..3bdec2bac8 100644 --- a/server/cmd/start.go +++ b/server/cmd/start.go @@ -70,6 +70,7 @@ func (s *server) Start() { c.File("./ui/build/index.html") }) } + logger.Infow("KeranTest - Starting server", "auth-disabled", s.options.DisableAuth) routes.Routes(router, routes.SystemInfo{ManagedNamespace: s.options.ManagedNamespace, Namespaced: s.options.Namespaced, Version: numaflow.GetVersion().String()}) router.Use(UrlRewrite(router)) server := http.Server{ diff --git a/server/routes/routes.go b/server/routes/routes.go index 3f3b5dd2dc..7fc8cdf945 100644 --- a/server/routes/routes.go +++ b/server/routes/routes.go @@ -30,6 +30,8 @@ type SystemInfo struct { ManagedNamespace string `json:"managedNamespace"` Namespaced bool `json:"namespaced"` Version string `json:"version"` + DisableAuth bool `json:"disableAuth"` + DexServerAddr string `json:"dexServerAddr"` } func Routes(r *gin.Engine, sysinfo SystemInfo) { @@ -178,13 +180,13 @@ func getEnforcer() (*casbin.Enforcer, error) { return nil, err } rules := [][]string{ - []string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "GET"}, - []string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "POST"}, - []string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PATCH"}, - []string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PUT"}, - []string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "DELETE"}, - []string{"role:jyuadmin", "jyu-dex-poc*", "pipeline", "UPDATE"}, - []string{"role:jyureadonly", "jyu-dex-poc*", "pipeline", "GET"}, + {"role:jyuadmin", "jyu-dex-poc*", "pipeline", "GET"}, + {"role:jyuadmin", "jyu-dex-poc*", "pipeline", "POST"}, + {"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PATCH"}, + {"role:jyuadmin", "jyu-dex-poc*", "pipeline", "PUT"}, + {"role:jyuadmin", "jyu-dex-poc*", "pipeline", "DELETE"}, + {"role:jyuadmin", "jyu-dex-poc*", "pipeline", "UPDATE"}, + {"role:jyureadonly", "jyu-dex-poc*", "pipeline", "GET"}, } areRulesAdded, err := enforcer.AddPolicies(rules) @@ -193,8 +195,8 @@ func getEnforcer() (*casbin.Enforcer, error) { } rulesGroup := [][]string{ - []string{"jyu-dex-poc:admin", "role:jyuadmin"}, - []string{"jyu-dex-poc:readonly", "role:jyureadonly"}, + {"jyu-dex-poc:admin", "role:jyuadmin"}, + {"jyu-dex-poc:readonly", "role:jyureadonly"}, } areRulesAdded, err = enforcer.AddNamedGroupingPolicies("g", rulesGroup) From fd7cf7d1b778b7907bc60c088a9e9ab8ca1ac68c Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 15:15:39 -0400 Subject: [PATCH 02/10] working Signed-off-by: Keran Yang --- .../advanced-install/namespaced-numaflow-server.yaml | 1 - server/apis/v1/handler.go | 1 + server/cmd/start.go | 7 ++++++- server/routes/routes.go | 12 ++++++++++++ 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/config/advanced-install/namespaced-numaflow-server.yaml b/config/advanced-install/namespaced-numaflow-server.yaml index ca3a043fca..199f0525aa 100644 --- a/config/advanced-install/namespaced-numaflow-server.yaml +++ b/config/advanced-install/namespaced-numaflow-server.yaml @@ -106,7 +106,6 @@ spec: containers: - args: - server - - --disable-auth=true - --namespaced env: - name: NAMESPACE diff --git a/server/apis/v1/handler.go b/server/apis/v1/handler.go index 410b86c277..43cf610154 100644 --- a/server/apis/v1/handler.go +++ b/server/apis/v1/handler.go @@ -198,6 +198,7 @@ func (h *handler) GetClusterSummary(c *gin.Context) { // CreatePipeline is used to create a given pipeline func (h *handler) CreatePipeline(c *gin.Context) { + fmt.Println("KeranTest - CreatePipeline") ns := c.Param("namespace") // dryRun is used to check if the operation is just a validation or an actual create dryRun := strings.EqualFold("true", c.DefaultQuery("dry-run", "false")) diff --git a/server/cmd/start.go b/server/cmd/start.go index 3bdec2bac8..216ddcb5b8 100644 --- a/server/cmd/start.go +++ b/server/cmd/start.go @@ -71,7 +71,12 @@ func (s *server) Start() { }) } logger.Infow("KeranTest - Starting server", "auth-disabled", s.options.DisableAuth) - routes.Routes(router, routes.SystemInfo{ManagedNamespace: s.options.ManagedNamespace, Namespaced: s.options.Namespaced, Version: numaflow.GetVersion().String()}) + routes.Routes(router, routes.SystemInfo{ + ManagedNamespace: s.options.ManagedNamespace, + Namespaced: s.options.Namespaced, + Version: numaflow.GetVersion().String(), + DisableAuth: s.options.DisableAuth, + DexServerAddr: s.options.DexServerAddr}) router.Use(UrlRewrite(router)) server := http.Server{ Addr: fmt.Sprintf(":%d", s.options.Port), diff --git a/server/routes/routes.go b/server/routes/routes.go index 7fc8cdf945..478205f22f 100644 --- a/server/routes/routes.go +++ b/server/routes/routes.go @@ -17,6 +17,7 @@ limitations under the License. package routes import ( + "fmt" "net/http" "github.com/casbin/casbin/v2" @@ -40,11 +41,22 @@ func Routes(r *gin.Engine, sysinfo SystemInfo) { }) r.Any("/dex/*name", v1.DexReverseProxy) + + // noAuthGroup is a group of routes that do not require AuthN/AuthZ. noAuthGroup := r.Group("/auth/v1") v1RoutesNoAuth(noAuthGroup) + + // r1Group is a group of routes that require AuthN/AuthZ. + // they share the same AuthN/AuthZ middleware. enforcer, _ := getEnforcer() r1Group := r.Group("/api/v1") r1Group.Use(func(c *gin.Context) { + fmt.Print("KeranTest - running AuthN/AuthZ middleware\n") + if sysinfo.DisableAuth { + fmt.Println("KeranTest - auth is disabled") + c.Next() + return + } userIdentityTokenStr, err := c.Cookie("user-identity-token") if err != nil { errMsg := "user is not authenticated." From fd040f54d0c0ebfdbdd728b5cf3e8f0c73fa6dfa Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 15:43:05 -0400 Subject: [PATCH 03/10] . Signed-off-by: Keran Yang --- server/routes/routes.go | 90 +++++++++++++++++++++-------------------- 1 file changed, 46 insertions(+), 44 deletions(-) diff --git a/server/routes/routes.go b/server/routes/routes.go index 478205f22f..5d0efa17d9 100644 --- a/server/routes/routes.go +++ b/server/routes/routes.go @@ -42,54 +42,18 @@ func Routes(r *gin.Engine, sysinfo SystemInfo) { r.Any("/dex/*name", v1.DexReverseProxy) - // noAuthGroup is a group of routes that do not require AuthN/AuthZ. + // noAuthGroup is a group of routes that do not require AuthN/AuthZ no matter whether auth is enabled. noAuthGroup := r.Group("/auth/v1") v1RoutesNoAuth(noAuthGroup) - // r1Group is a group of routes that require AuthN/AuthZ. - // they share the same AuthN/AuthZ middleware. - enforcer, _ := getEnforcer() + // r1Group is a group of routes that require AuthN/AuthZ when auth is enabled. + // they share the AuthN/AuthZ middleware. r1Group := r.Group("/api/v1") - r1Group.Use(func(c *gin.Context) { - fmt.Print("KeranTest - running AuthN/AuthZ middleware\n") - if sysinfo.DisableAuth { - fmt.Println("KeranTest - auth is disabled") - c.Next() - return - } - userIdentityTokenStr, err := c.Cookie("user-identity-token") - if err != nil { - errMsg := "user is not authenticated." - c.JSON(http.StatusUnauthorized, v1.NewNumaflowAPIResponse(&errMsg, nil)) - return - } - userIdentityToken := v1.GetUserIdentityToken(userIdentityTokenStr) - groups := userIdentityToken.IDTokenClaims.Groups - // user := c.DefaultQuery("user", "readonly") - ns := c.Param("namespace") - if ns == "" { - c.Next() - return - } - resource := "pipeline" - action := c.Request.Method - auth := false - - for _, group := range groups { - // Get the user from the group. The group is in the format "group:role". - - // Check if the user has permission using Casbin Enforcer. - if enforceRBAC(enforcer, group, ns, resource, action) { - auth = true - c.Next() - } - } - if !auth { - errMsg := "user is not authorized to execute the requested action." - c.JSON(http.StatusForbidden, v1.NewNumaflowAPIResponse(&errMsg, nil)) - c.Abort() - } - }) + enforcer, _ := getEnforcer() + if !sysinfo.DisableAuth { + // Add the AuthN/AuthZ middleware to the group. + r1Group.Use(authMiddleware(enforcer)) + } v1Routes(r1Group) r1Group.GET("/sysinfo", func(c *gin.Context) { c.JSON(http.StatusOK, v1.NewNumaflowAPIResponse(nil, sysinfo)) @@ -162,6 +126,44 @@ func v1Routes(r gin.IRouter) { r.GET("/namespaces/:namespace/events", handler.GetNamespaceEvents) } +func authMiddleware(enforcer *casbin.Enforcer) gin.HandlerFunc { + return func(c *gin.Context) { + fmt.Print("KeranTest - running AuthN/AuthZ middleware\n") + userIdentityTokenStr, err := c.Cookie("user-identity-token") + if err != nil { + errMsg := "user is not authenticated." + c.JSON(http.StatusUnauthorized, v1.NewNumaflowAPIResponse(&errMsg, nil)) + return + } + userIdentityToken := v1.GetUserIdentityToken(userIdentityTokenStr) + groups := userIdentityToken.IDTokenClaims.Groups + // user := c.DefaultQuery("user", "readonly") + ns := c.Param("namespace") + if ns == "" { + c.Next() + return + } + resource := "pipeline" + action := c.Request.Method + auth := false + + for _, group := range groups { + // Get the user from the group. The group is in the format "group:role". + + // Check if the user has permission using Casbin Enforcer. + if enforceRBAC(enforcer, group, ns, resource, action) { + auth = true + c.Next() + } + } + if !auth { + errMsg := "user is not authorized to execute the requested action." + c.JSON(http.StatusForbidden, v1.NewNumaflowAPIResponse(&errMsg, nil)) + c.Abort() + } + } +} + func getEnforcer() (*casbin.Enforcer, error) { modelText := ` [request_definition] From c767751d40acda8f1fabf9e3de56d61d36b385b3 Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 15:56:57 -0400 Subject: [PATCH 04/10] clean up Signed-off-by: Keran Yang --- server/apis/v1/handler.go | 2 -- server/cmd/start.go | 14 ++++++++++---- server/routes/routes.go | 2 -- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/server/apis/v1/handler.go b/server/apis/v1/handler.go index 43cf610154..f934a13581 100644 --- a/server/apis/v1/handler.go +++ b/server/apis/v1/handler.go @@ -81,7 +81,6 @@ func NewHandler() (*handler, error) { kubeClient: kubeClient, metricsClient: metricsClient, numaflowClient: numaflowClient, - // TODO: get args like disableAuth, dexServerAddr in }, nil } @@ -198,7 +197,6 @@ func (h *handler) GetClusterSummary(c *gin.Context) { // CreatePipeline is used to create a given pipeline func (h *handler) CreatePipeline(c *gin.Context) { - fmt.Println("KeranTest - CreatePipeline") ns := c.Param("namespace") // dryRun is used to check if the operation is just a validation or an actual create dryRun := strings.EqualFold("true", c.DefaultQuery("dry-run", "false")) diff --git a/server/cmd/start.go b/server/cmd/start.go index 216ddcb5b8..16dbd18f2f 100644 --- a/server/cmd/start.go +++ b/server/cmd/start.go @@ -70,7 +70,6 @@ func (s *server) Start() { c.File("./ui/build/index.html") }) } - logger.Infow("KeranTest - Starting server", "auth-disabled", s.options.DisableAuth) routes.Routes(router, routes.SystemInfo{ ManagedNamespace: s.options.ManagedNamespace, Namespaced: s.options.Namespaced, @@ -84,7 +83,11 @@ func (s *server) Start() { } if s.options.Insecure { - logger.Infow("Starting server (TLS disabled) on "+server.Addr, "version", numaflow.GetVersion()) + logger.Infow( + "Starting server (TLS disabled) on "+server.Addr, + "version", numaflow.GetVersion(), + "disable-auth", s.options.DisableAuth, + "dex-server-addr", s.options.DexServerAddr) if err := server.ListenAndServe(); err != nil { panic(err) } @@ -94,8 +97,11 @@ func (s *server) Start() { panic(err) } server.TLSConfig = &tls.Config{Certificates: []tls.Certificate{*cert}, MinVersion: tls.VersionTLS12} - - logger.Infow("Starting server on "+server.Addr, "version", numaflow.GetVersion()) + logger.Infow( + "Starting server on "+server.Addr, + "version", numaflow.GetVersion(), + "disable-auth", s.options.DisableAuth, + "dex-server-addr", s.options.DexServerAddr) if err := server.ListenAndServeTLS("", ""); err != nil { panic(err) } diff --git a/server/routes/routes.go b/server/routes/routes.go index 5d0efa17d9..b7d937bcba 100644 --- a/server/routes/routes.go +++ b/server/routes/routes.go @@ -17,7 +17,6 @@ limitations under the License. package routes import ( - "fmt" "net/http" "github.com/casbin/casbin/v2" @@ -128,7 +127,6 @@ func v1Routes(r gin.IRouter) { func authMiddleware(enforcer *casbin.Enforcer) gin.HandlerFunc { return func(c *gin.Context) { - fmt.Print("KeranTest - running AuthN/AuthZ middleware\n") userIdentityTokenStr, err := c.Cookie("user-identity-token") if err != nil { errMsg := "user is not authenticated." From 851215696e4bbea68b39d7e6a8109e847ec96131 Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 16:31:03 -0400 Subject: [PATCH 05/10] check if e2e can pass Signed-off-by: Keran Yang --- .github/workflows/ci.yaml | 3 ++- config/base/numaflow-server/numaflow-server-deployment.yaml | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c39d8d170f..9e1abef310 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -4,8 +4,9 @@ on: branches: - "main" - "release-*" + - "ged-rbac" pull_request: - branches: [main] + branches: [main, ged-rbac] jobs: ui: name: UI diff --git a/config/base/numaflow-server/numaflow-server-deployment.yaml b/config/base/numaflow-server/numaflow-server-deployment.yaml index 50e2703e15..4e79927d14 100644 --- a/config/base/numaflow-server/numaflow-server-deployment.yaml +++ b/config/base/numaflow-server/numaflow-server-deployment.yaml @@ -38,6 +38,8 @@ spec: image: quay.io/numaproj/numaflow:latest args: - "server" + # By default, turn off authentication and authorization. + - "--disable-auth=true" imagePullPolicy: Always volumeMounts: - mountPath: /ui/build/runtime-env.js From 6cc5c3e16bd71a29647f445a15e75c2a22edaaab Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 16:46:59 -0400 Subject: [PATCH 06/10] address comments Signed-off-by: Keran Yang --- server/cmd/start.go | 16 ++++++++++------ server/routes/routes.go | 13 ++++++++----- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/server/cmd/start.go b/server/cmd/start.go index 16dbd18f2f..623f9b0d48 100644 --- a/server/cmd/start.go +++ b/server/cmd/start.go @@ -70,12 +70,16 @@ func (s *server) Start() { c.File("./ui/build/index.html") }) } - routes.Routes(router, routes.SystemInfo{ - ManagedNamespace: s.options.ManagedNamespace, - Namespaced: s.options.Namespaced, - Version: numaflow.GetVersion().String(), - DisableAuth: s.options.DisableAuth, - DexServerAddr: s.options.DexServerAddr}) + routes.Routes( + router, + routes.SystemInfo{ + ManagedNamespace: s.options.ManagedNamespace, + Namespaced: s.options.Namespaced, + Version: numaflow.GetVersion().String()}, + routes.AuthInfo{ + DisableAuth: s.options.DisableAuth, + DexServerAddr: s.options.DexServerAddr, + }) router.Use(UrlRewrite(router)) server := http.Server{ Addr: fmt.Sprintf(":%d", s.options.Port), diff --git a/server/routes/routes.go b/server/routes/routes.go index b7d937bcba..319f7e8cd1 100644 --- a/server/routes/routes.go +++ b/server/routes/routes.go @@ -30,11 +30,14 @@ type SystemInfo struct { ManagedNamespace string `json:"managedNamespace"` Namespaced bool `json:"namespaced"` Version string `json:"version"` - DisableAuth bool `json:"disableAuth"` - DexServerAddr string `json:"dexServerAddr"` } -func Routes(r *gin.Engine, sysinfo SystemInfo) { +type AuthInfo struct { + DisableAuth bool `json:"disableAuth"` + DexServerAddr string `json:"dexServerAddr"` +} + +func Routes(r *gin.Engine, sysInfo SystemInfo, authInfo AuthInfo) { r.GET("/livez", func(c *gin.Context) { c.Status(http.StatusOK) }) @@ -49,13 +52,13 @@ func Routes(r *gin.Engine, sysinfo SystemInfo) { // they share the AuthN/AuthZ middleware. r1Group := r.Group("/api/v1") enforcer, _ := getEnforcer() - if !sysinfo.DisableAuth { + if !authInfo.DisableAuth { // Add the AuthN/AuthZ middleware to the group. r1Group.Use(authMiddleware(enforcer)) } v1Routes(r1Group) r1Group.GET("/sysinfo", func(c *gin.Context) { - c.JSON(http.StatusOK, v1.NewNumaflowAPIResponse(nil, sysinfo)) + c.JSON(http.StatusOK, v1.NewNumaflowAPIResponse(nil, sysInfo)) }) } From 0e1dc0f8afffe1ab411293bef6323f75dc88d1ec Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 17:03:30 -0400 Subject: [PATCH 07/10] . Signed-off-by: Keran Yang --- config/advanced-install/namespaced-numaflow-server.yaml | 1 + server/auth/rbac.go | 3 ++- server/routes/routes_test.go | 8 ++++++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/config/advanced-install/namespaced-numaflow-server.yaml b/config/advanced-install/namespaced-numaflow-server.yaml index 372d0314eb..552d6343ae 100644 --- a/config/advanced-install/namespaced-numaflow-server.yaml +++ b/config/advanced-install/namespaced-numaflow-server.yaml @@ -121,6 +121,7 @@ spec: containers: - args: - server + - --disable-auth=true - --namespaced env: - name: NAMESPACE diff --git a/server/auth/rbac.go b/server/auth/rbac.go index d551846384..1b20f0dc4b 100644 --- a/server/auth/rbac.go +++ b/server/auth/rbac.go @@ -18,9 +18,9 @@ package auth import ( _ "embed" - "fmt" ) +/* commented the following codes out to make linter happy. var ( //go:embed rbac-model.conf rbacModel string @@ -30,3 +30,4 @@ var ( func main() { fmt.Print(rbacModel) } +*/ diff --git a/server/routes/routes_test.go b/server/routes/routes_test.go index 683eabe381..98943b5701 100644 --- a/server/routes/routes_test.go +++ b/server/routes/routes_test.go @@ -36,7 +36,12 @@ func TestRoutes(t *testing.T) { ManagedNamespace: managedNamespace, Namespaced: namespaced, } - Routes(router, sysInfo) + + authInfo := AuthInfo{ + DisableAuth: false, + DexServerAddr: "test-dex-server-addr", + } + Routes(router, sysInfo, authInfo) t.Run("/404", func(t *testing.T) { w := httptest.NewRecorder() req, err := http.NewRequest(http.MethodGet, "/404", nil) @@ -52,5 +57,4 @@ func TestRoutes(t *testing.T) { router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) }) - } From 58bb90f8cb5055f182e28f2bcd48c1014bf88447 Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 17:12:43 -0400 Subject: [PATCH 08/10] . Signed-off-by: Keran Yang --- .github/workflows/ci.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9e1abef310..c39d8d170f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -4,9 +4,8 @@ on: branches: - "main" - "release-*" - - "ged-rbac" pull_request: - branches: [main, ged-rbac] + branches: [main] jobs: ui: name: UI From 54adcc1ad5280c7477b29b01700a25c27c0804ba Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 17:51:36 -0400 Subject: [PATCH 09/10] . Signed-off-by: Keran Yang --- cmd/commands/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/commands/server.go b/cmd/commands/server.go index 0fd43bff70..7b57089edf 100644 --- a/cmd/commands/server.go +++ b/cmd/commands/server.go @@ -64,7 +64,7 @@ func NewServerCommand() *cobra.Command { command.Flags().BoolVar(&namespaced, "namespaced", false, "Whether to run in namespaced scope, defaults to false.") command.Flags().StringVar(&managedNamespace, "managed-namespace", sharedutil.LookupEnvStringOr("NAMESPACE", "numaflow-system"), "The namespace that the server watches when \"--namespaced\" is \"true\".") command.Flags().StringVar(&baseHref, "base-href", "/", "Base href for Numaflow server, defaults to '/'.") - command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Whether to disable authentication, defaults to false.") + command.Flags().BoolVar(&disableAuth, "disable-auth", true, "Whether to disable authentication and authorization, defaults to true for easy on-boarding.") command.Flags().StringVar(&dexServerAddr, "dex-server-addr", "http://numaflow-dex-server:5556", "The address of the Dex server.") return command } From 11e3efdc0fb655816ba6abf74aab4f31cd1aa220 Mon Sep 17 00:00:00 2001 From: Keran Yang Date: Mon, 23 Oct 2023 18:52:16 -0400 Subject: [PATCH 10/10] . Signed-off-by: Keran Yang --- cmd/commands/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/commands/server.go b/cmd/commands/server.go index 7b57089edf..cdf29bf065 100644 --- a/cmd/commands/server.go +++ b/cmd/commands/server.go @@ -64,7 +64,7 @@ func NewServerCommand() *cobra.Command { command.Flags().BoolVar(&namespaced, "namespaced", false, "Whether to run in namespaced scope, defaults to false.") command.Flags().StringVar(&managedNamespace, "managed-namespace", sharedutil.LookupEnvStringOr("NAMESPACE", "numaflow-system"), "The namespace that the server watches when \"--namespaced\" is \"true\".") command.Flags().StringVar(&baseHref, "base-href", "/", "Base href for Numaflow server, defaults to '/'.") - command.Flags().BoolVar(&disableAuth, "disable-auth", true, "Whether to disable authentication and authorization, defaults to true for easy on-boarding.") + command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Whether to disable authentication and authorization, defaults to false.") command.Flags().StringVar(&dexServerAddr, "dex-server-addr", "http://numaflow-dex-server:5556", "The address of the Dex server.") return command }