etcdmain, pkg: CN based auth for inter peer connection

This commit adds an authentication mechanism to inter peer connection (rafthttp). If the cert based peer auth is enabled and a new option `--peer-cert-allowed-cn` is passed, an etcd process denies a peer connection whose CN doesn't match.
etcd-io · Sep 29, 2017 · d1d9a74 · d1d9a74
1 parent 554298d
commit d1d9a74
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md
@@ -251,6 +251,11 @@ The security flags help to [build a secure etcd cluster][security].
 + default: false
 + env variable: ETCD_PEER_AUTO_TLS
 
+### --peer-cert-allowed-cn
++ Allowed CommonName for inter peer authentication.
++ default: none
++ env variable: ETCD_PEER_CERT_ALLOWED_CN
+
 ## Logging flags
 
 ### --debug

diff --git a/etcdmain/config.go b/etcdmain/config.go
@@ -184,6 +184,7 @@ func newConfig() *config {
 	fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
 	fs.BoolVar(&cfg.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
 	fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
+	fs.StringVar(&cfg.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
 
 	// logging
 	fs.BoolVar(&cfg.Debug, "debug", false, "Enable debug-level logging for etcd.")

diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
@@ -22,6 +22,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"math/big"
 	"net"
@@ -76,6 +77,9 @@ type TLSInfo struct {
 	// parseFunc exists to simplify testing. Typically, parseFunc
 	// should be left nil. In that case, tls.X509KeyPair will be used.
 	parseFunc func([]byte, []byte) (tls.Certificate, error)
+
+	// AllowedCN is a CN which must be provided by a client
+	AllowedCN string
 }
 
 func (info TLSInfo) String() string {
@@ -174,6 +178,23 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 		MinVersion:   tls.VersionTLS12,
 		ServerName:   info.ServerName,
 	}
+
+	if info.AllowedCN != "" {
+		cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			for _, chains := range verifiedChains {
+				for _, chain := range chains {
+					if info.AllowedCN == chain.Subject.CommonName {
+						return nil
+					} else {
+						return fmt.Errorf("CommonName authentication failed (allowed: %s, client: %s)", info.AllowedCN, chains[0].Subject.CommonName)
+					}
+
+				}
+			}
+			return errors.New("CommonName authentication failed")
+		}
+	}
+
 	// this only reloads certs when there's a client request
 	// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
 	cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {