-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: allow users to enable password auth for 'root' #43847
Comments
@piyush-singh I am putting this on the docket because addressing this would simplify the product and make it easier to document / reason about it. @aaron-crl can you check the proposal? |
@knz please make sure that @rolandcrosby is aware of any security related feature proposals as he is responsible for this area. |
oh sorry I got the PMs mixed up. thanks for the reminder. |
Three quick questions: (1) Was there a reason we did this as certificate only access? |
(1) the reason is historical: this predefined rule existed before we started to support password auth (2) we already use another special account (3) the Pursuant to (3) I guess one could ask "what makes |
Thanks! Sounds good to me with the caveat that it would be nice to see all cluster internal functions use their own security principals to make security logging and eventing easier in the future re: (2). |
That's quite an interesting idea. FYI for all internal uses of SQL we have this already, because SQL connections have a special token called For RPC connections I guess we could consider this as an addition. Seems orthogonal though. |
Our recent security fix #42563 is preventing access to the HTTP endpoints in non-enterprise clusters. Specifically the (edit knz: fixing this issue would solve that regression.) |
Agreed, we should move that discussion elsewhere. It's a nice to have from a security hygiene standpoint; no other concerns. |
Allowing to assign the admin role to one additional user would also fix the problem described by @mattcrdb |
Root passwords are only one of the solutions for the regression. I have generalized the statement of the regression in the following issue: #43870 |
43892: sql: enable clearing user password r=knz a=knz Fixes #43891. Needed/useful for #43847. It is useful to clear a user's password, as this is the only way to enforce they authenticate using client certificates regardless of the HBA configuration. Prior to this patch, it was not possible to clear a user's password. This patch makes it possible. Release note (security update): Previously if a user password's had been set once, thus enabling them to use password authentication, it was not possible revert that choice and disable password authentication for them any more other than either dropping the user, or adding a specific per-user HBA rule. This has been fixed and the PostgreSQL-compatible `ALTER USER WITH PASSWORD NULL` statement can now be used to clear the user's password. Release note (sql change): CREATE USER and ALTER USER now accept the parameter `[WITH] PASSWORD NULL` to indicate the user's password should be removed, thus preventing them from using password authentication. This is compatible with PostgreSQL. Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
43872: cli: new command `auth-session {login,logout,list}` r=ajwerner,aaron-crl a=knz Fixes #43870. tldr: this adds new CLI commands to log users in and out of the HTTP interface and produce a HTTP cookie for use in monitoring scripts. This is suitable for use by the `root` user without an Enterprise license. Also the new feature is client-side only, so the client binary with this feature can be used with a CockroachDB server/cluster running at an older version. **Motivation:** users who wish to use certain HTTP monitoring tools, in particular those that retrieve privileged information like logs, need a valid HTTP authentication token for an admin user (#42567). This token can be constructed by accessing the HTTP endpoint `/login`, however: - manually crafting the token using `/login` is cumbersome; - it's not possible to use `/login` for the `root` user (#43847); - it's not possible to create another admin user than `root` without a valid Enterprise license (because that requires role management). **Solution:** ``` cockroach auth-session login <username> [--expire-after=...] [--only-cookie] cockroach auth-session logout <username> cockroach auth-session list ``` - all three commands also support the standard SQL command-line arguments, e.g. `--url`, `--certs-dir`, `--echo-sql` and `--format`. - the `--expire-after` argument customizes the expiry period. The default is one hour. - the `--only-cookie` arguments limits the output of the command to just the HTTP cookie. By default, the session ID and the authentication cookie are printed using regular table formatting. Also see the two release notes below. Release note (cli change): Three new CLI commands `cockroach auth-session login`, `cockroach auth-session list` and `cockroach auth-session logout` are now provided to facilitate the management of web sessions. The command `auth-session login` also produces a HTTP cookie which can be used by non-interactive HTTP-based database management tools. It also can generate such a cookie for the `root` user, who would not otherwise be able to do so using a web browser. Release note (security update): The new command `cockroach auth-session login` (reserved to administrators) is able to create authentication tokens with an arbitrary expiration date. Operators should be careful to monitor `system.web_sessions` and enforce policy-mandated expirations either using SQL queries or the new command `cockroach auth-session logout`. Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
tldr; this issue proposes to enable:
root
user;It also fixes the regression introduced by #42563, by enabling
root
authentication on the admin UI to obtain a login cookie.Background
CockroachDB currently offers 5 separate guardrails to ensure that
root
is always able to connect even when the authentication configuration is botched:--insecure
, anyone can log in without auth.host all root all cert
is always the first rule, meaning that clients can log in asroot
if and only if they present a valid TLS client cert forroot
(and because the method iscert
and notcert-password
, password auth is rejected forroot
in any case).ALTER USER WITH PASSWORD
is disallowed forroot
, so root cannot have a passwordroot
.UserLogin
HTTP API reports an error if the user isroot
.root
and a password is supplied.Meanwhile, there is a separate, unrelated (but relevant) rule:
Proposal
This issue proposes to remove rules 3-6 specifically, without changing the others.
This proposal would not change the security rules for a cluster using the default configuration: by default, root would not be able to log in using password anywhere (by default, the root account has no password so rule 6 applies) and is required to present a cert on SQL (due to rule 2).
Non-Pitfalls
A possible counter-argument to this proposal is that CockroachdB uses
root
internally to establish SQL client connections towards itself.This is not an obstacle: in insecure clusters, the password would be ignored anyway; in secure clusters, CockroachDB's internal connections use a valid client cert.
The text was updated successfully, but these errors were encountered: