-
Notifications
You must be signed in to change notification settings - Fork 3.8k
/
auth.go
155 lines (138 loc) · 5.04 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
// Copyright 2020 The Cockroach Authors.
//
// Use of this software is governed by the Business Source License
// included in the file licenses/BSL.txt.
//
// As of the Change Date specified in that file, in accordance with
// the Business Source License, use of this software will be governed
// by the Apache License, Version 2.0, included in the file
// licenses/APL.txt.
package rpc
import (
"context"
"github.com/cockroachdb/cockroach/pkg/roachpb"
"github.com/cockroachdb/cockroach/pkg/security"
"github.com/cockroachdb/cockroach/pkg/util/grpcutil"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/peer"
"google.golang.org/grpc/status"
)
var errTLSInfoMissing = authError("TLSInfo is not available in request context")
func authError(msg string) error {
return status.Error(codes.Unauthenticated, msg)
}
func authErrorf(format string, a ...interface{}) error {
return status.Errorf(codes.Unauthenticated, format, a...)
}
// kvAuth is the standard auth policy used for RPCs sent to an RPC server. It
// validates that client TLS certificate provided by the incoming connection
// contains a sufficiently privileged user.
type kvAuth struct {
tenant tenantAuthorizer
}
// kvAuth implements the auth interface.
func (a kvAuth) AuthUnary() grpc.UnaryServerInterceptor { return a.unaryInterceptor }
func (a kvAuth) AuthStream() grpc.StreamServerInterceptor { return a.streamInterceptor }
func (a kvAuth) unaryInterceptor(
ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler,
) (interface{}, error) {
// Allow unauthenticated requests for the inter-node CA public key as part
// of the Add/Join protocol. RFC: https://github.com/cockroachdb/cockroach/pull/51991
if info.FullMethod == "/cockroach.server.serverpb.Admin/RequestCA" {
return handler(ctx, req)
}
// Allow unauthenticated requests for the inter-node CA bundle as part
// of the Add/Join protocol. RFC: https://github.com/cockroachdb/cockroach/pull/51991
if info.FullMethod == "/cockroach.server.serverpb.Admin/RequestCertBundle" {
return handler(ctx, req)
}
tenID, err := a.authenticate(ctx)
if err != nil {
return nil, err
}
if tenID != (roachpb.TenantID{}) {
ctx = contextWithTenant(ctx, tenID)
if err := a.tenant.authorize(tenID, info.FullMethod, req); err != nil {
return nil, err
}
}
return handler(ctx, req)
}
func (a kvAuth) streamInterceptor(
srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler,
) error {
ctx := ss.Context()
tenID, err := a.authenticate(ctx)
if err != nil {
return err
}
if tenID != (roachpb.TenantID{}) {
ctx = contextWithTenant(ctx, tenID)
origSS := ss
ss = &wrappedServerStream{
ServerStream: origSS,
ctx: ctx,
recv: func(m interface{}) error {
if err := origSS.RecvMsg(m); err != nil {
return err
}
// 'm' is now populated and contains the request from the client.
return a.tenant.authorize(tenID, info.FullMethod, m)
},
}
}
return handler(srv, ss)
}
func (a kvAuth) authenticate(ctx context.Context) (roachpb.TenantID, error) {
if grpcutil.IsLocalRequestContext(ctx) {
// This is an in-process request. Bypass authentication check.
//
// TODO(tbg): I don't understand when this is hit. Internal requests are routed
// directly to a `*Node` and should never pass through this code path.
return roachpb.TenantID{}, nil
}
p, ok := peer.FromContext(ctx)
if !ok {
return roachpb.TenantID{}, errTLSInfoMissing
}
tlsInfo, ok := p.AuthInfo.(credentials.TLSInfo)
if !ok || len(tlsInfo.State.PeerCertificates) == 0 {
return roachpb.TenantID{}, errTLSInfoMissing
}
certUsers, err := security.GetCertificateUsers(&tlsInfo.State)
if err != nil {
return roachpb.TenantID{}, err
}
if a.tenant.tenantID == roachpb.SystemTenantID {
// This node is a KV node.
//
//
// Is this a connection from a SQL tenant server?
subj := tlsInfo.State.PeerCertificates[0].Subject
if security.Contains(subj.OrganizationalUnit, security.TenantsOU) {
// Incoming connection originating from a tenant SQL server,
// into a KV node.
return tenantFromCommonName(subj.CommonName)
}
// Connection is from another KV node.
//
// TODO(benesch): the vast majority of RPCs should be limited to just
// NodeUser. This is not a security concern, as RootUser has access to
// read and write all data, merely good hygiene. For example, there is
// no reason to permit the root user to send raw Raft RPCs.
if !security.Contains(certUsers, security.NodeUser) &&
!security.Contains(certUsers, security.RootUser) {
return roachpb.TenantID{}, authErrorf("user %s is not allowed to perform this RPC", certUsers)
}
} else {
// This node is a SQL tenant server.
// Is this a connection from another SQL tenant server?
subj := tlsInfo.State.PeerCertificates[0].Subject
if !security.Contains(subj.OrganizationalUnit, security.TenantsOU) {
return roachpb.TenantID{}, authErrorf("user %s is not allowed to perform this RPC", certUsers)
}
}
return roachpb.TenantID{}, nil
}