Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply authZ for nomad Raft RPC layer #11089

Merged
merged 3 commits into from
Oct 5, 2021
Merged

Apply authZ for nomad Raft RPC layer #11089

merged 3 commits into from
Oct 5, 2021

Conversation

notnoop
Copy link
Contributor

@notnoop notnoop commented Aug 26, 2021

When mTLS is enabled, only nomad servers of the region should access the Raft RPC layer. Clients and servers in other regions should only use the Nomad RPC endpoints.

Co-authored-by: Michael Schurter [email protected]
Co-authored-by: Seth Hoenig [email protected]

Fixes #11084

@schmichael @shoenig
Apply authZ for nomad Raft RPC layer
39627df 
When mTLS is enabled, only nomad servers of the region should access the
Raft RPC layer. Clients and servers in other regions should only use the
Nomad RPC endpoints.

Co-authored-by: Michael Schurter <[email protected]>
Co-authored-by: Seth Hoenig <[email protected]>
@notnoop notnoop requested a review from schmichael August 26, 2021 19:11
@notnoop notnoop self-assigned this Aug 26, 2021
picatz
picatz reviewed Aug 26, 2021
View reviewed changes
.changelog/11084.txt Outdated Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – nomad August 27, 2021 14:42 Inactive
@picatz
link to cve listing in changelog
e6f022c 
Co-authored-by: Kent 'picat' Gruber <[email protected]>
@vercel vercel bot temporarily deployed to Preview – nomad August 27, 2021 14:42 Inactive
@notnoop notnoop mentioned this pull request Aug 27, 2021
Merged
notnoop pushed a commit that referenced this pull request Aug 30, 2021
Support mTLS clusters for e2e testing (#11092)
a144cb3 
This allows us to spin up e2e clusters with mTLS configured for all HashiCorp services, i.e. Nomad, Consul, and Vault. Used it for testing #11089 .

mTLS is disabled by default. I have not updated Windows provisioning scripts yet - Windows also lacks ACL support from before. I intend to follow up for them in another round.
@schmichael schmichael added this to the 1.2.0 milestone Oct 4, 2021
schmichael
schmichael approved these changes Oct 4, 2021
View reviewed changes
Copy link
Member

@schmichael schmichael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very excited to generate ephemeral certs right in tests instead of relying on pre-generated certificates in git.

@notnoop notnoop merged commit 88ff7f4 into main Oct 5, 2021
@notnoop notnoop deleted the b-cve-2021-37218 branch October 5, 2021 12:49
@lgfa29 lgfa29 mentioned this pull request Feb 15, 2022
Draft
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@picatz picatz picatz left review comments

@schmichael schmichael schmichael approved these changes

Assignees

@notnoop notnoop

Labels
None yet
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.

CVE-2021-37218 Nomad Raft RPC Privilege Escalation
3 participants
@notnoop @schmichael @picatz