Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization not enforced for inter-node comms #1051

Closed
otoolep opened this issue Jul 15, 2022 · 9 comments
Closed

Authorization not enforced for inter-node comms #1051

otoolep opened this issue Jul 15, 2022 · 9 comments

Comments

@otoolep
Copy link
Member

otoolep commented Jul 15, 2022

rqlite security is controlled as described here.

Security can be configured such that a node requires credentials to join a cluster (since joining uses the HTTP API). However all further requests by the node which joined to any other node will use the inter-node comms link, which does not enforce authorization. This means changes could be made to the cluster via node that has joined, but which doesn't have a local Security config file.

The fix, in general terms, is to enforce authorization, even for the inter-node comms channel.

@otoolep
Copy link
Member Author

otoolep commented Jul 19, 2022

This should be fairly straightforward to do:

New unit tests need to be added at each layer too.

@ngharrington
Copy link
Contributor

Thanks @otoolep happy to take a look a this -- these notes are great and align with what I had in mind. Hopefully will spend some time this evening (EST), but certainly will look this week.

@otoolep
Copy link
Member Author

otoolep commented Jul 20, 2022

There is one tricky part to this -- queued writes. Because queued writes happen asynchronously, the context of which user sent the original HTTP request is not passed to the queue. So that part is going to need some thinking.

You can see the queued write implementation in the HTTP layer.

@otoolep
Copy link
Member Author

otoolep commented Jul 20, 2022

Queued writes are called "queued executes" in the code.

@otoolep
Copy link
Member Author

otoolep commented Jul 20, 2022

The queuedExecute() is complicated because it can contain multiple requests, each with different credentials -- so the question becomes which credentials to use when all requests are merged in the queue. I'll need to think about it.

I suggest we just work on the synchronous path for now (execute()) and see what shape that takes. That may help us understand the best way to deal with queued writes.

@otoolep
Copy link
Member Author

otoolep commented Jul 20, 2022

Thinking about this some more, it's not that bad. The main issue here is that credential-checking is not enforced in the cluster service. That is what needs to be addressed. Once that is fixed the security issue is addressed. So adding credential checking in https://github.com/rqlite/rqlite/blob/master/cluster/service.go#L170 is step one, that would patch the hole.

@otoolep
Copy link
Member Author

otoolep commented Jul 21, 2022

@ngharrington - check out #1056

It's just to give you an idea of what needs to be done, I don't plan to merge it if you make the full changes. But it should give you the idea. What remains includes:

  • Fixing unit tests
  • Actually enforcing credential checking in the Cluster service code
  • Repeating this logic for the query path too.

Note that the pb.go code was generated automatically, as per the directions in CONTRIBUTING.md

@ngharrington
Copy link
Contributor

Thanks! I will take a look at this

This was referenced Aug 6, 2022
@otoolep
Copy link
Member Author

otoolep commented Aug 6, 2022

Will be fixed in 7.6.1, currently fixed on HEAD.

@otoolep otoolep closed this as completed Aug 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants