fix(security): Dragonfly manager job API unauthenticated access

Dragonfly Manager's Job REST API endpoints lack authentication, allowing unauthenticated attackers to create, query, modify, and delete jobs,
potentially leading to resource exhaustion, information disclosure, and service disruption.

Signed-off-by: Gaius <gaius.qi@gmail.com>

Author: gaius-qi

.github/workflows/compatibility-e2e.yml

@@ -31,12 +31,12 @@ jobs:
         include:
           - module: manager
             image: manager
-            image-tag: v2.4.1-beta.1
+            image-tag: v2.4.1-rc.0
             chart-name: manager
             skip: "Rate Limit"
           - module: scheduler
             image: scheduler
-            image-tag: v2.4.1-beta.1
+            image-tag: v2.4.1-rc.0
             chart-name: scheduler
             skip: "Rate Limit"
           - module: client
@@ -137,12 +137,17 @@ jobs:
           kind load docker-image dragonflyoss/client:latest
           kind load docker-image dragonflyoss/dfinit:latest
 
+      - name: Generate Dragonfly PAT
+        run: |
+          DRAGONFLY_PAT=$(uuidgen | tr -d '\n' | base64 | tr '+/' '-_' | tr -d '=')
+          echo "DRAGONFLY_PAT=$DRAGONFLY_PAT" >> $GITHUB_ENV
+
       - name: Setup Helm
         uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Setup dragonfly
         run: |
-          helm install --wait --timeout 15m --dependency-update --create-namespace --namespace dragonfly-system --set ${{ matrix.chart-name }}.image.tag=${{ matrix.image-tag }} --set ${{ matrix.chart-name }}.image.repository=dragonflyoss/${{ matrix.image }} -f ${{ env.DRAGONFLY_CHARTS_CONFIG_PATH }} dragonfly ${{ env.DRAGONFLY_CHARTS_PATH }}
+          helm install --wait --timeout 15m --dependency-update --create-namespace --namespace dragonfly-system --set ${{ matrix.chart-name }}.image.tag=${{ matrix.image-tag }} --set ${{ matrix.chart-name }}.image.repository=dragonflyoss/${{ matrix.image }} --set manager.extraEnvVars[0].name=DRAGONFLY_PAT --set manager.extraEnvVars[0].value=${{ env.DRAGONFLY_PAT }} -f ${{ env.DRAGONFLY_CHARTS_CONFIG_PATH }} dragonfly ${{ env.DRAGONFLY_CHARTS_PATH }}
           mkdir -p /tmp/artifact/dufs && chmod 777 /tmp/artifact/dufs
           kubectl apply -f ${{ env.DRAGONFLY_FILE_SERVER_PATH }}
           kubectl wait po dufs-0 --namespace dragonfly-e2e --for=condition=ready --timeout=10m

.github/workflows/e2e-rate-limit.yml

@@ -120,12 +120,17 @@ jobs:
           kind load docker-image dragonflyoss/client:latest
           kind load docker-image dragonflyoss/dfinit:latest
 
+      - name: Generate Dragonfly PAT
+        run: |
+          DRAGONFLY_PAT=$(uuidgen | tr -d '\n' | base64 | tr '+/' '-_' | tr -d '=')
+          echo "DRAGONFLY_PAT=$DRAGONFLY_PAT" >> $GITHUB_ENV
+
       - name: Setup Helm
         uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Setup dragonfly
         run: |
-          helm install --wait --timeout 15m --dependency-update --create-namespace --namespace dragonfly-system -f ${{ matrix.charts-config }} dragonfly ${{ env.DRAGONFLY_CHARTS_PATH }}
+          helm install --wait --timeout 15m --dependency-update --create-namespace --namespace dragonfly-system --set manager.extraEnvVars[0].name=DRAGONFLY_PAT --set manager.extraEnvVars[0].value=${{ env.DRAGONFLY_PAT }} -f ${{ matrix.charts-config }} dragonfly ${{ env.DRAGONFLY_CHARTS_PATH }}
           mkdir -p /tmp/artifact/dufs && chmod 777 /tmp/artifact/dufs
           kubectl apply -f ${{ env.DRAGONFLY_FILE_SERVER_PATH }}
           kubectl wait po dufs-0 --namespace dragonfly-e2e --for=condition=ready --timeout=10m

.github/workflows/e2e.yml

@@ -124,12 +124,17 @@ jobs:
           kind load docker-image dragonflyoss/client:latest
           kind load docker-image dragonflyoss/dfinit:latest
 
+      - name: Generate Dragonfly PAT
+        run: |
+          DRAGONFLY_PAT=$(uuidgen | tr -d '\n' | base64 | tr '+/' '-_' | tr -d '=')
+          echo "DRAGONFLY_PAT=$DRAGONFLY_PAT" >> $GITHUB_ENV
+
       - name: Setup Helm
         uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
 
       - name: Setup dragonfly
         run: |
-          helm install --wait --timeout 15m --dependency-update --create-namespace --namespace dragonfly-system -f ${{ matrix.charts-config }} dragonfly ${{ env.DRAGONFLY_CHARTS_PATH }}
+          helm install --wait --timeout 15m --dependency-update --create-namespace --namespace dragonfly-system --set manager.extraEnvVars[0].name=DRAGONFLY_PAT --set manager.extraEnvVars[0].value=${{ env.DRAGONFLY_PAT }} -f ${{ matrix.charts-config }} dragonfly ${{ env.DRAGONFLY_CHARTS_PATH }}
           mkdir -p /tmp/artifact/dufs && chmod 777 /tmp/artifact/dufs
           kubectl apply -f ${{ env.DRAGONFLY_FILE_SERVER_PATH }}
           kubectl wait po dufs-0 --namespace dragonfly-e2e --for=condition=ready --timeout=10m

client

@@ -20,6 +20,8 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
+	"time"
 
 	caches "github.com/go-gorm/caches/v4"
 	"github.com/redis/go-redis/v9"
@@ -38,6 +40,11 @@ const (
 	DefaultClusterName = "cluster-1"
 )
 
+const (
+	// DragonflyPATEnvName is the environment variable name for generating personal access token.
+	DragonflyPATEnvName = "DRAGONFLY_PAT"
+)
+
 type Database struct {
 	DB  *gorm.DB
 	RDB redis.UniversalClient
@@ -230,5 +237,19 @@ func seed(db *gorm.DB) error {
 		}
 	}
 
+	// If DRAGONFLY_PAT is set, create a default personal access token for user ID 1(root user).
+	if pat := os.Getenv(DragonflyPATEnvName); pat != "" {
+		if err := db.Model(models.PersonalAccessToken{}).Create(&models.PersonalAccessToken{
+			Name:      "default",
+			Token:     pat,
+			Scopes:    types.DefaultPersonalAccessTokenScopes,
+			State:     models.PersonalAccessTokenStateActive,
+			ExpiredAt: time.Now().AddDate(10, 0, 0),
+			UserID:    1,
+		}).Error; err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

deploy/helm-charts

@@ -201,9 +201,8 @@ func Init(cfg *config.Config, logDir string, service service.Service, database *
 	config.GET(":id", h.GetConfig)
 	config.GET("", h.GetConfigs)
 
-	// TODO Add auth to the following routes and fix the tests.
 	// Job.
-	job := apiv1.Group("/jobs")
+	job := apiv1.Group("/jobs", jwt.MiddlewareFunc(), rbac)
 	job.POST("", middlewares.CreateJobRateLimiter(limiter), h.CreateJob)
 	job.DELETE(":id", h.DestroyJob)
 	job.PATCH(":id", h.UpdateJob)

manager/database/database.go

@@ -18,12 +18,10 @@ package service
 
 import (
 	"context"
-	"encoding/base64"
-
-	"github.com/google/uuid"
 
 	"d7y.io/dragonfly/v2/manager/models"
 	"d7y.io/dragonfly/v2/manager/types"
+	"d7y.io/dragonfly/v2/pkg/auth"
 )
 
 func (s *service) CreatePersonalAccessToken(ctx context.Context, json types.CreatePersonalAccessTokenRequest) (*models.PersonalAccessToken, error) {
@@ -34,7 +32,7 @@ func (s *service) CreatePersonalAccessToken(ctx context.Context, json types.Crea
 	personalAccessToken := models.PersonalAccessToken{
 		Name:      json.Name,
 		BIO:       json.BIO,
-		Token:     s.generatePersonalAccessToken(),
+		Token:     auth.GeneratePersonalAccessToken(),
 		Scopes:    json.Scopes,
 		State:     models.PersonalAccessTokenStateActive,
 		ExpiredAt: json.ExpiredAt,
@@ -101,7 +99,3 @@ func (s *service) GetPersonalAccessTokens(ctx context.Context, q types.GetPerson
 
 	return personalAccessToken, count, nil
 }
-
-func (s *service) generatePersonalAccessToken() string {
-	return base64.RawURLEncoding.EncodeToString([]byte(uuid.NewString()))
-}

manager/router/router.go

@@ -0,0 +1,28 @@
+/*
+ *     Copyright 2026 The Dragonfly Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package auth
+
+import (
+	"encoding/base64"
+
+	"github.com/google/uuid"
+)
+
+// GeneratePersonalAccessToken generates a new personal access token.
+func GeneratePersonalAccessToken() string {
+	return base64.RawURLEncoding.EncodeToString([]byte(uuid.NewString()))
+}

manager/service/personal_access_token.go

@@ -85,7 +85,6 @@ var _ = AfterSuite(func() {
 	if err := util.GetFileServer().Purge(); err != nil {
 		fmt.Printf("failed to purge the e2e file server: %v\n", err)
 	}
-
 })
 
 var _ = BeforeSuite(func() {
@@ -97,6 +96,7 @@ var _ = BeforeSuite(func() {
 	Expect(err).NotTo(HaveOccurred())
 	gitCommit := strings.Fields(string(rawGitCommit))[0]
 	fmt.Printf("git commit: %s\n", gitCommit)
+
 	// Wait for peers to start and announce to scheduler.
 	time.Sleep(5 * time.Minute)
 })