Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Security allows passing of invalid source #426

Open
rzezeski opened this Issue · 4 comments

4 participants

@rzezeski

I was able to pass an invalid source with no failure from security. I was confused and passed my password as the source and then would fail to authenticate to the server with the following log entry.

2013-10-26 15:28:15.735 [warning] <0.10758.2>@riak_core_security:authenticate:250 User <<"zman">> is configured with unknown authentication source zman

Here is my invalid add-source. The last zman should have been password.

/spinning/bench/riak-yz-security/dev/dev1/bin/riak-admin security add-source zman 127.0.0.1/32 zman
@jaredmorrow

This is still an issue in pre20, here is the result with running the above (after adding the zman user).

./bin/riak-admin security print-sources                                                                                                                                                                                                                       
+--------------------+------------+----------+----------+
|       users        |    cidr    |  source  | options  |
+--------------------+------------+----------+----------+
|        zman        |127.0.0.1/32|   zman   |    []    |
+--------------------+------------+----------+----------+

Thoughts @Vagabond @macintux.

I'll put this as 2.0.1 for now.

@jaredmorrow jaredmorrow added this to the 2.0.1 milestone
@macintux
Collaborator

I don't know that this is a bug. @Vagabond's design allows for pluggable authentication mechanisms.

We certainly could reject unknown sources, or issue a warning that the source isn't recognized but allow it.

@rzezeski

IIRC once I did this security got in a bad state and I couldn't fix it without a fresh cluster. I could be remembering wrong but would be good to test before closing this issue.

@lukebakken
Collaborator

FWIW, I ran into this today by mis-typing certificate. The only way to know it had happened was to turn on debug logging in Riak to see why my client certificate authentication was failing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.