Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support deploying and managing TLS encryption enabled TiDB cluster #529

Closed
9 of 10 tasks
lucklove opened this issue Jun 23, 2020 · 8 comments · Fixed by #673
Closed
9 of 10 tasks

Support deploying and managing TLS encryption enabled TiDB cluster #529

lucklove opened this issue Jun 23, 2020 · 8 comments · Fixed by #673
Assignees
@AstroProfundis
Labels
category/security Categorizes issue or PR as a security enhancement. priority/P0 Indicates that the priority of a issue is very high. status/need-doc Indicates that we should update document before merge a PR. type/feature-request Categorizes issue as related to a new feature.
Milestone
v1.2.0

Comments

@lucklove
Copy link
Member

lucklove commented Jun 23, 2020
edited by AstroProfundis
Loading

Feature Request

Description

At present, when deploying a cluster with tiup-cluster, the tidb cluster (tidb <-> pd <-> tikv and pd <-> tiup) use plain messages to communicate, this may lead to potential security leaks. We should support TLS encryption as an option in the cluster topology to enable TLS encryption among components.

Similar support is already implemented in tidb-ansible and tidb-operator.

Catagory

Security

Value

Increase security of TiDB cluster, and avoid potential security leaks like MITM attack.

TODO List

  • Add support of TLS encryption in specs
    • PD
    • TiKV
    • TiDB (Both server and client)
    • Pump / Drainer
    • CDC
    • binlog
    • Conflict validation with unsupported components
  • Generate TLS certificates and correct configs for components
  • Support API calls with TLS encryption enabled

Schedule

GanttStart: 2020-08-01
GanttDue: 2020-08-31
GanttProgress: 95%
@lucklove lucklove added the type/enhancement Categorizes issue or PR as related to an enhancement. label Jun 23, 2020
@lonng lonng added the status/TODO Categorizes issue as we will do it. label Jun 24, 2020
@AstroProfundis AstroProfundis added category/security Categorizes issue or PR as a security enhancement. type/feature-request Categorizes issue as related to a new feature. and removed type/enhancement Categorizes issue or PR as related to an enhancement. labels Jul 7, 2020
@AstroProfundis AstroProfundis added this to the v1.2.0 milestone Jul 7, 2020
@lucklove lucklove added the priority/P0 Indicates that the priority of a issue is very high. label Jul 14, 2020
@scsldb scsldb mentioned this issue Jul 14, 2020
Open
11 tasks
@overvenus
Copy link
Member

Reminder: Please also support TiCDC TLS deployment.

@lucklove
Copy link
Member Author

It seems TiFlash and TiSpark don't support TLS, they may be disabled once the user enables TLS.

@july2993
Copy link
Contributor

Reminder: Please also support TiCDC TLS deployment.

also tidb binog

@AstroProfundis AstroProfundis added status/WIP and removed status/TODO Categorizes issue as we will do it. labels Jul 27, 2020
@AstroProfundis
Copy link
Contributor

@july2993 @overvenus Is there any doc about how to configure TLS for CDC and binlog?

@AstroProfundis AstroProfundis mentioned this issue Jul 27, 2020
Closed
@nolouch
Copy link
Member

nolouch commented Aug 2, 2020

This issue has been placed in the security issue pingcap/tidb#18084 as a sub-item. It's duplicated in longterm P0 Backlog Kanban, maybe we can move out it and place it in team's kanban.

@overvenus
Copy link
Member

@AstroProfundis
TiCDC TLS (Chinese version) https://docs.pingcap.com/zh/tidb/stable/manage-ticdc#%E4%BD%BF%E7%94%A8%E5%8A%A0%E5%AF%86%E4%BC%A0%E8%BE%93-tls-%E5%8A%9F%E8%83%BD

@uglyengineer
Copy link

@lonng this is a sub-task of tidb#18084, do not adding it to longterm project.

@AstroProfundis AstroProfundis mentioned this issue Aug 12, 2020
Merged
9 tasks
@ilovesoup
Copy link
Contributor

Actually this issue is about "support deploy cluster with security features enabled" instead of "support those security features among components". Please have title and description clear, or it is a waste of time for whom cares. @lucklove

@AstroProfundis AstroProfundis changed the title Support TLS in internal communication of TiDB cluster Support deploying and managing TLS encryption enabled TiDB cluster Aug 14, 2020
@nolouch nolouch mentioned this issue Aug 24, 2020
Closed
@lucklove lucklove added the status/need-doc Indicates that we should update document before merge a PR. label Sep 16, 2020
@AricSu AricSu mentioned this issue Dec 29, 2022
Open
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AstroProfundis AstroProfundis

Labels
category/security Categorizes issue or PR as a security enhancement. priority/P0 Indicates that the priority of a issue is very high. status/need-doc Indicates that we should update document before merge a PR. type/feature-request Categorizes issue as related to a new feature.
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging a pull request may close this issue.

cluster: add support of TLS encryption for TiDB cluster AstroProfundis/tiup
8 participants
@AstroProfundis @lonng @july2993 @overvenus @ilovesoup @nolouch @lucklove @uglyengineer