sql,security, ccl: Match certificate DN against SUBJECT role option #119958
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This change is |
souravcrl
force-pushed
the
subject-role-option-match
branch
from
0c1831c to
2da7a46
Compare
souravcrl
changed the title
souravcrl
changed the title
souravcrl
force-pushed
the
subject-role-option-match
branch
2 times, most recently
from
082b9e9 to
121aea7
Compare
souravcrl
force-pushed
the
subject-role-option-match
branch
2 times, most recently
from
c5f71aa to
5f41e6f
Compare
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Mar 11, 2024
Release note: None Epic: None Release justification: We will need encoding/asn1 library to support marshalling/unmarshalling of DER encoded values used in crypto/x509 library for raw subject and subject fields. This is needed for cockroachdb#119958
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Mar 11, 2024
Release note: None Epic: None Release justification: We will need encoding/asn1 library to support marshalling/unmarshalling of DER encoded values used in crypto/x509 library for raw subject and subject fields. This is needed for cockroachdb#119958
craig bot
pushed a commit
that referenced
this pull request
Mar 11, 2024
120189: testutils: add asn1 to allowed Marshal functions list r=bdarnell a=souravcrl Release note: None Epic: None Release justification: We will need encoding/asn1 library to support marshalling/unmarshalling of DER encoded values used in crypto/x509 library for raw subject and subject fields. This is needed for #119958 Co-authored-by: Sourav Sarangi <[email protected]>
souravcrl
changed the title
souravcrl
force-pushed
the
subject-role-option-match
branch
from
5f41e6f to
d9b757f
Compare
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Mar 28, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce the provided certificate by client to exactly match the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Mar 28, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce the provided certificate by client to exactly match the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Apr 2, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Apr 4, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Apr 8, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this pull request
Apr 8, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
craig bot
pushed a commit
that referenced
this pull request
Apr 9, 2024
120786: rpc,security, cli: Add cert-distinguished-name root/node cli flag r=rafiss a=souravcrl Previous in sequence: #119958 informs #110616 fixes #118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce the provided certificate by client to exactly match the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None Co-authored-by: Sourav Sarangi <[email protected]>
blathers-crl bot
pushed a commit
that referenced
this pull request
Apr 9, 2024
Previous in sequence: #119958 informs #110616, #118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
informs #110616
fixes CRDB-35940
Epic CRDB-34126
We use values from SUBJECT role option to match against a client certificate for
a user. The client certificate in X.509 standard contains a subject which
represents an X.509 DN. We use the RFC 2253 parsed string from this
representation to be used as an LDAP DN subject in the client
CertificateUserScopeobject while evaluating the certificate for auth. Thus,in
UserAuthCertHookwe will be evaluating both for the cert scope userName tomatch the db user and cert scope subject to match the set subject role option.
Release note: None