RPC: Tolerate invalid rpcauth options #20550

pull luke-jr wants to merge 2 commits into bitcoin:master from luke-jr:soften_rpcauth2 changing 4 files +13 −9
  1. luke-jr commented at 5:51 pm on December 2, 2020: member

    By tolerating unknown extra rpcauth parameters (and ignoring the rpcauth), we can ensure a limited forward compatibility by not forcing users to downgrade their config file to switch back to older versions (perhaps temporarily).

    Same as #20548, but without the additional effort to explain the situation at runtime.

  2. in src/httprpc.cpp:262 in 017b6f82de outdated
    259@@ -260,7 +260,6 @@ static bool InitRPCAuthentication()
    260                 g_rpcauth.push_back(fields);
    261             } else {
    262                 LogPrintf("Invalid -rpcauth argument.\n");
    


    MarcoFalke commented at 6:03 pm on December 2, 2020:
    0                LogPrintf("Ignoring invalid -rpcauth argument.\n");
    
  3. MarcoFalke approved
  4. MarcoFalke commented at 6:04 pm on December 2, 2020: member
    review ACK 017b6f82de56db945eceee5f9f7ea5069ea541a9, but the release notes might need to be adjusted?
  5. promag commented at 6:13 pm on December 2, 2020: member
    Concept ACK, you have to update test/functional/rpc_users.py.
  6. QA: Allow unexpected_msgs-only assert_debug_log c0a4f02df7
  7. RPC: Tolerate invalid rpcauth options 044df97886
  8. luke-jr force-pushed on Dec 2, 2020
  9. luke-jr commented at 6:23 pm on December 2, 2020: member
    Release notes updated, debug msg changed, and tests updated.
  10. DrahtBot added the label Docs on Dec 2, 2020
  11. DrahtBot added the label RPC/REST/ZMQ on Dec 2, 2020
  12. promag commented at 10:27 pm on December 2, 2020: member
    Tested ACK 044df97886e1366ad995a03c0c4a0d62616f66a2.
  13. MarcoFalke removed the label Docs on Dec 3, 2020
  14. MarcoFalke commented at 7:39 am on December 3, 2020: member
    review ACK 044df97886e1366ad995a03c0c4a0d62616f66a2
  15. laanwj commented at 8:50 am on December 3, 2020: member
    I prefer failing here to be honest. But I guess my dislike for ignoring invalid options is well known.
  16. promag commented at 8:54 am on December 3, 2020: member

    I prefer failing here to be honest. But I guess my dislike for ignoring invalid options is well known.

    In #20461 (comment) I’ve suggested a -strict (or similar) option.

  17. laanwj commented at 9:09 am on December 3, 2020: member

    I mean, if the entire problem here is that users running older bitcoin core might run into this error when upgrading and be confused, I think the error needs to be clearer. All in all it will result in removing cruft from their configuration. Even more, they will likely also be alerted to mistakes they made. Possibly critical security mistakes. (…why would one add entries on purpose just to be ignored?)

    I’ve suggested a -strict (or similar) option.

    Not sure this kind of meta-configuration makes sense. It just adds more code paths where it’s better to make a principled decision. And I think bitcoin core should be strict and unambigious about input handling.

  18. jnewbery commented at 10:05 am on December 3, 2020: member
    I totally agree with @laanwj here. We should fail on invalid configuration.
  19. luke-jr commented at 4:05 pm on December 3, 2020: member
    This still fails, just at runtime when it makes more sense to do so (and without disrupting other usage).
  20. harding commented at 5:09 pm on December 3, 2020: contributor

    By tolerating unknown extra rpcauth parameters (and ignoring the rpcauth), we can ensure a limited forward compatibility by not forcing users to downgrade their config file to switch back to older versions (perhaps temporarily).

    For the past couple releases, hasn’t Bitcoin Core refused to start on unknown configuration settings?

    $ bitcoind -not-a-real-setting
    Error: Error parsing command line arguments: Invalid parameter -not-a-real-setting
    

    Future releases, or spinoffs, are likely to support new configuration settings that old releases will not, so any users including those settings in their configuration files will need to edit those files anyway to use an old or baseline release. Rejecting unknown parameters seems like a simple and logically consistent extension of this previous policy.

    The policy of failing on unknown settings is quite beneficial at eliminating the annoyance of figuring out that your configuration is broken and then restarting the node—which is something that can take a long time (e.g. if you have a high db cache or are using an underpowered computer) and which inexperienced users might not know how to do (or might do wrong, e.g. sending SIGKILL rather than SIGTERM, which could result in a need to reindex).

    Based on my own misadventures, wrongly configuring a node is a much more common problem than wanting to use a future/spinoff configuration file with an old/baseline node, so I think we should optimize for helping users fix misconfigurations as fast and painlessly as possible.

  21. MarcoFalke commented at 5:11 pm on December 3, 2020: member
    Closing for now due to controversy
  22. MarcoFalke closed this on Dec 3, 2020

  23. luke-jr commented at 5:15 pm on December 3, 2020: member

    For the past couple releases, hasn’t Bitcoin Core refused to start on unknown configuration settings?

    On the command line only, not in config files where they would reasonably be expected.

  24. MarcoFalke reopened this on Dec 3, 2020

  25. harding commented at 5:20 pm on December 3, 2020: contributor

    On the command line only, not in config files

    Confirmed. That seems to me like an unnecessary half measure. If it’s planned to keep it that way, there may indeed be merit in a -strict option that also validates options in the configuration file.

  26. sipa commented at 5:23 pm on December 3, 2020: member
    For the configuration files we’ve been going in the same direction, e.g. rpcport causes failure outside of network sections. That’s not quite the same as it’s blacklisting known-meaningless settings rather than whitelisting just known-meaningful ones, but in general becoming more strict in configuration files too makes sense.
  27. MarcoFalke commented at 5:27 pm on December 3, 2020: member
    Indeed, this is a bug that simply hasn’t been fixed yet. See #15021
  28. sipa commented at 5:28 pm on December 3, 2020: member
    Right, I now remember. The reason rejecting unknown config options isn’t done yet is because it would require all binaries to be aware of each other’s options so they can be ignored.
  29. luke-jr commented at 5:33 pm on December 3, 2020: member
    That would just be gratuitously breaking things for no reason…
  30. MarcoFalke deleted a comment on Dec 4, 2020
  31. DrahtBot commented at 12:46 pm on December 11, 2020: member

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  32. DrahtBot added the label Needs rebase on Apr 7, 2021
  33. DrahtBot removed the label Needs rebase on May 20, 2021
  34. DrahtBot added the label Needs rebase on Jul 21, 2021
  35. DrahtBot commented at 10:01 am on July 21, 2021: member

    🐙 This pull request conflicts with the target branch and needs rebase.

    Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a “draft”.

  36. luke-jr closed this on Dec 19, 2021

  37. DrahtBot locked this on Dec 19, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-19 06:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me