-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support encrypted passwords in interserver_http_credentials section #48291
Comments
For me it’s not clear from design/architectural point of view what should be the correct solution to avoid the plain text passwords in interserver_http_credentials. It’s not the same as we have SHA hash for client credentials. |
What vector of an attack you want to prevent? If you want the trust among replicas listed in the Zookeper (and you consider that Zookeeper is secured and Zookeeper must be secured anyway, otherwise an intruder can harm a database by other ways. |
@den-crane Thank you for advice about the random token. I did not know about it. Depending on customers the requirements may be:
|
BTW you can store parts of the config in the ZK like So you can do
|
I did not know about |
I doubt that storing passwords in ZooKeeper is more secure (clickhouse users can read it via system.zookeeper). Soring that on filesystem is secure (as secure as when you store keys in ~/.ssh). If you will add some encryption there it will anyway will be reversible, or the keys will be stored somewhere around. So it will not make system more secure than it is now, it can only be considered as obfuscation. Obfuscated password can not be considered as a strong / important security improvement. |
To address this issue we do need an extra level of indirection ;) |
@filimonov OK. How to we solve the particular question using the files? Yes, private keys in ./ssh have chmod 600. I think we may implement new parameter:
So for file The main idea that chmod is 600. And the user is clickhouse. Thus only clichouse user and root may read it. The idea is that for And I think we cannot use include_from:
|
@ilejn Could you please explain your approach? How it would be possible to use GNOME Keyring or similar in ClickHouse for the particular task (storing password for interserver_http_credentials)? |
You can just create one more file /etc/clickhouse-server/config.d/interserver_credentials.xml Or use include_from (what is wrong with that?). |
There is an API, a wrapper (https://gnome.pages.gitlab.gnome.org/libsecret) and a cross-platform library (e.g. https://github.com/hrantzsch/keychain).
|
@rvasin's implementation provides a new XML tag `encryption_codec' which indicates some symmetric encryption (AES). Before we go ahead with the implementation, I would like to check back first if everyone is okay with the approach. When it comes to security, it is too easy to shoot oneself into the foot. And yes, Roman did the hard work already (appreciated) but let's discuss first. If I read this ticket right, the core problem is that the configuration file that contains the credentials is not necessarily only readable by the user who owns it. E.g. permissions can be 666 and user "Bob" can read user "Alice"s passwords, and we need some way to hide the password in the file. Note that to solve the problem, "hiding" is enough - the password does not necessarily need to be encrypted. Discussed approaches:
To be honest, the latter two options seem preferable to me due to their elegance and simplicity. Maybe the docs should just make a note how cleartext passwords can be hidden. And: Does the issue only affect credentials of other servers, or does ZK also need credentials? What about the existing mechanism to connect securely to ZK? (I am not an expert with that) And: Are there specific customer / compliance / certification requirements that mandate actual password encryption (over just hiding it)? |
@rschu1ze I will try to keep it short quite the topic is quite wide. As we discussed earlier in the ticket: setting 600 permission on: Yes, it's in their requirements "no plain text passwords" in configuration files. For prospects the requirement is quite critical: they cannot start using ClickHouse without it. And solutions like In fact I wrote an internal article about usage of Therefore in my current PR the passwords are encrypted in We discussed it with our company's security analysts, we showed it to our clients and prospects (their security analysts). This approach OK for them. Also note: it is not just about passwords in
and so on. Therefore the proposed solution in my PR is universal and it may be used to hide any sensitive information. Furthermore it maybe used in combination with |
Am I right that the plan is to keep the encrypted entity (password) and the key to decrypt it (encryption_codecs/../key_hex) together in one file? Really? |
As I said in real usage the different combinations are possible. The main idea: there is no ideal solution. But it's a really the next step to security improvement considering that now in |
And the benefit of this PR is that key and password are together in preprocessed/config.xml ? If an intruder can read this file (and other configs) - no improvement (she knows the secret) |
As I said on all config files we set 600 permission only clickhouse user and root can read it. If the intruder can get root access somehow in this case he will get the plain text key and encrypted passwords from preprocessed config. But decryption is not trivial. Because the encrypted text has headers etc. Thus this PR is the next step in security improvement. But this is not the final or definitive step :) |
Again I need to repeat: my today"s post is not my opinion as developer (for me as developer 600 permission is probably enough) but these are combined opinions / even requirements of security analysts of very high profile companies. They consider many factors to make their final decisions. As one of future steps in the security level improvements could be making a new option to eliminate preprocessing file generation. But implementation of this option requires a prior careful analysis. |
Use case
Right now the passwords in interserver_http_credentials section are in plain text. For example:
It maybe considered as unsafe by security analysts.
Describe the solution you'd like
Allow encrypted password like:
Normally a symmetric encryption should be used. But it’s not clear where to save the encryption key then.
Describe alternatives you've considered
As alternative solution we may use of environment variable this way:
$ INTERPASSWORD=test
But this also may be considered as unsafe by security analysts.
The text was updated successfully, but these errors were encountered: