Anonymous Auth disabled, but still allowing unauthenticated requests (k8s weaviate deployment)

Support
1

I have weaviate on a k8s Kubernetes deployment, with anonymous Auth disabled.
I have verified by looking at the weaviate pods config as below.
However, it is still allowing the connection, when I send a request with no auth specified. Pasted screenshot of the unauthenticated request for the connection to weaviate. This is seen when trying the connection over a portforwarded link and also from just another pod in the cluster.

Expectation is that, with below config, the unauthenticated requests should be denied the connection.

/weaviate-config # cat conf.yaml 
---
authentication:
  anonymous_access:
    enabled: false
  oidc:
    enabled: false
authorization:
  admin_list:
    enabled: false
  rbac:
    enabled: false

query_defaults:
  limit: 100


import weaviate

# Try connecting without authentication first
client = weaviate.connect_to_custom(
    http_host="localhost",
    http_port=8085,
    http_secure=False,
    grpc_host="localhost",
    grpc_port=50051,
    grpc_secure=False
)

print("Testing connection...")
print(f"Is live: {client.is_live()}")
print(f"Is ready: {client.is_ready()}")

client.close()
2

Hey - we don’t require authentication for is_live+is_reads. Try for example client.collections.list_all()to get an error for an unauthenticated request

1 Like
3

Thanks , but seems like it is allowing even the collections list operation via an unauthenticated call. (The server is configured for anonymous_access enabled:false).

import weaviate

# Connect without authentication
client = weaviate.connect_to_custom(
    http_host="localhost",
    http_port=8085,
    http_secure=False,
    grpc_host="localhost",
    grpc_port=50051,
    grpc_secure=False,
    skip_init_checks=True
)

print("Testing basic operations...")
try:
    # Test getting meta information
    meta = client.get_meta()
    print(f"Weaviate version: {meta.get('version')}")
    
    # Test listing collections/classes
    collections = client.collections.list_all()
    print(f"Available collections: {list(collections.keys())}")
    
    print("Basic operations successful - no authentication required!")
    
except Exception as e:
    print(f"Error during operations: {e}")
    print("This might indicate authentication is required")

client.close()

python test_operations.py 
Testing basic operations...
Weaviate version: 1.32.3
Available collections: []
Basic operations successful - no authentication required!

Also, another point to note - when correct auth is used in the code above, I see this warning-

python3 test_operations.py                      
/venv/lib/python3.13/site-packages/weaviate/warnings.py:15: UserWarning: Auth001: The client is configured to use authentication, but weaviate is configured without
                    authentication. Are you sure this is correct?
  warnings.warn(
Testing basic operations...
Weaviate version: 1.32.3
Available collections: []
Basic operations successful - no authentication required!

We are using a kubernetes setup and on the weaviate pod, I do see the secret being read correctly, when i exec to the pod and check the env variable associated with the secret.

/ # env | grep _BASIC_AUTH
CLUSTER_BASIC_AUTH_USERNAME=xxxx
CLUSTER_BASIC_AUTH_PASSWORD=yyyy

        - name: CLUSTER_BASIC_AUTH_USERNAME
          valueFrom:
            secretKeyRef:
              key: username
              name: weaviate-cluster-api-basic-auth
        - name: CLUSTER_BASIC_AUTH_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: weaviate-cluster-api-basic-auth

I see per the docs Kubernetes | Weaviate Documentation - here there is support for apikey and oidc. For basic auth, should we beuing the basic auth option ? Is the ‘allowed_keys’ field here supposed to map to the password and the ‘users’ field to the username ?

4

I just had a quick look at the code and the problem is the following:

  • we have anon auth enabled by default (==if all others are disabled and we cannot distinguish between explicitly disabled and not set)
  • you disable all authentication methods by setting them to false

So to make it work, you need to enable either OIDC or APIkey authentication.

Is the ‘allowed_keys’ field here supposed to map to the password and the ‘users’ field to the username ?

yes exactly. Note that we also have dynamic user management via APIs if you are planning to have a lot of users: Manage users | Weaviate Documentation

For basic auth, should we beuing the basic auth option
CLUSTER_BASIC_AUTH_USERNAME=xxxx
CLUSTER_BASIC_AUTH_PASSWORD=yyyy

These are for inter-node communication

1 Like