security: allow users to enable password auth for 'root' #43847
Comments
|
@piyush-singh I am putting this on the docket because addressing this would simplify the product and make it easier to document / reason about it. @aaron-crl can you check the proposal? |
knz
added
A-security
C-enhancement
|
@knz please make sure that @rolandcrosby is aware of any security related feature proposals as he is responsible for this area. |
|
oh sorry I got the PMs mixed up. thanks for the reminder. |
|
Three quick questions: (1) Was there a reason we did this as certificate only access? |
|
(1) the reason is historical: this predefined rule existed before we started to support password auth (2) we already use another special account (3) the Pursuant to (3) I guess one could ask "what makes |
|
Thanks! Sounds good to me with the caveat that it would be nice to see all cluster internal functions use their own security principals to make security logging and eventing easier in the future re: (2). |
That's quite an interesting idea. FYI for all internal uses of SQL we have this already, because SQL connections have a special token called For RPC connections I guess we could consider this as an addition. Seems orthogonal though. |
|
Our recent security fix #42563 is preventing access to the HTTP endpoints in non-enterprise clusters. Specifically the (edit knz: fixing this issue would solve that regression.) |
Agreed, we should move that discussion elsewhere. It's a nice to have from a security hygiene standpoint; no other concerns. |
|
Allowing to assign the admin role to one additional user would also fix the problem described by @mattcrdb |
|
Root passwords are only one of the solutions for the regression. I have generalized the statement of the regression in the following issue: #43870 |
43892: sql: enable clearing user password r=knz a=knz Fixes #43891. Needed/useful for #43847. It is useful to clear a user's password, as this is the only way to enforce they authenticate using client certificates regardless of the HBA configuration. Prior to this patch, it was not possible to clear a user's password. This patch makes it possible. Release note (security update): Previously if a user password's had been set once, thus enabling them to use password authentication, it was not possible revert that choice and disable password authentication for them any more other than either dropping the user, or adding a specific per-user HBA rule. This has been fixed and the PostgreSQL-compatible `ALTER USER WITH PASSWORD NULL` statement can now be used to clear the user's password. Release note (sql change): CREATE USER and ALTER USER now accept the parameter `[WITH] PASSWORD NULL` to indicate the user's password should be removed, thus preventing them from using password authentication. This is compatible with PostgreSQL. Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
43872: cli: new command `auth-session {login,logout,list}` r=ajwerner,aaron-crl a=knz
Fixes #43870.
tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the `root` user without an
Enterprise license.
Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version.
**Motivation:** users who wish to use certain HTTP monitoring tools,
in particular those that retrieve privileged information like logs,
need a valid HTTP authentication token for an admin user (#42567). This token
can be constructed by accessing the HTTP endpoint `/login`, however:
- manually crafting the token using `/login` is cumbersome;
- it's not possible to use `/login` for the `root` user (#43847);
- it's not possible to create another admin user than `root` without
a valid Enterprise license (because that requires role management).
**Solution:**
```
cockroach auth-session login <username> [--expire-after=...] [--only-cookie]
cockroach auth-session logout <username>
cockroach auth-session list
```
- all three commands also support the standard SQL command-line
arguments, e.g. `--url`, `--certs-dir`, `--echo-sql` and
`--format`.
- the `--expire-after` argument customizes the expiry period. The
default is one hour.
- the `--only-cookie` arguments limits the output of the command
to just the HTTP cookie. By default, the session ID and
the authentication cookie are printed using regular table formatting.
Also see the two release notes below.
Release note (cli change): Three new CLI commands `cockroach
auth-session login`, `cockroach auth-session list` and `cockroach
auth-session logout` are now provided to facilitate the management of
web sessions. The command `auth-session login` also produces a HTTP
cookie which can be used by non-interactive HTTP-based database
management tools. It also can generate such a cookie for the `root`
user, who would not otherwise be able to do so using a web browser.
Release note (security update): The new command `cockroach
auth-session login` (reserved to administrators) is able to create
authentication tokens with an arbitrary expiration date. Operators
should be careful to monitor `system.web_sessions` and enforce
policy-mandated expirations either using SQL queries or the new
command `cockroach auth-session logout`.
Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
tldr; this issue proposes to enable:
rootuser;It also fixes the regression introduced by #42563, by enabling
rootauthentication on the admin UI to obtain a login cookie.Background
CockroachDB currently offers 5 separate guardrails to ensure that
rootis always able to connect even when the authentication configuration is botched:--insecure, anyone can log in without auth.host all root all certis always the first rule, meaning that clients can log in asrootif and only if they present a valid TLS client cert forroot(and because the method iscertand notcert-password, password auth is rejected forrootin any case).ALTER USER WITH PASSWORDis disallowed forroot, so root cannot have a passwordroot.UserLoginHTTP API reports an error if the user isroot.rootand a password is supplied.Meanwhile, there is a separate, unrelated (but relevant) rule:
Proposal
This issue proposes to remove rules 3-6 specifically, without changing the others.
This proposal would not change the security rules for a cluster using the default configuration: by default, root would not be able to log in using password anywhere (by default, the root account has no password so rule 6 applies) and is required to present a cert on SQL (due to rule 2).
Non-Pitfalls
A possible counter-argument to this proposal is that CockroachdB uses
rootinternally to establish SQL client connections towards itself.This is not an obstacle: in insecure clusters, the password would be ignored anyway; in secure clusters, CockroachDB's internal connections use a valid client cert.
The text was updated successfully, but these errors were encountered: