rgw/notification: allow sending bucket notifications secrets in cleartext #43436
Conversation
src/rgw/rgw_rest_pubsub_common.cc
Outdated
| @@ -24,7 +31,7 @@ bool validate_and_update_endpoint_secret(rgw_pubsub_sub_dest& dest, CephContext | |||
| ceph_assert(user.empty() == password.empty()); | |||
| if (!user.empty()) { | |||
| dest.stored_secret = true; | |||
| if (!rgw_transport_is_secure(cct, env)) { | |||
| if (!verify_security(cct, env)) { | |||
There was a problem hiding this comment.
should still indicate transport security, non?
There was a problem hiding this comment.
verify_security() calls rgw_transport_is_secure() if the flag is not set.
if the flag is set there is no need to check for transport security, because we allow for user/password on non-secure transport
There was a problem hiding this comment.
there are many aspects of security this won't disable, e.g., secure authentication
There was a problem hiding this comment.
this is not disabling anything. only thing it allows is sending "secrets" (e.g. user/password) on non-secure transport
maybe i should name this function differently?
There was a problem hiding this comment.
that's all I was saying
yuvalif
force-pushed
the
wip-yuval-fix-50611
branch
from
e37b695
to
bb13593
Compare
|
|
see #24700 for some more background on |
i don't think that would work. in so, if the conf parameter is set to "true" we won't enter the "if" statement. |
which if statement? setting it to true makes |
this is done right :-) but it does not help in the case of this PR |
|
ok i was going by what the tracker issue said. but do we really want to be insecure here? i still think it should be a requirement |
this is why it is only disabled by a conf parameter (which is "false" by default). |
i had assumed that kubernetes made this easy with its secrets; is there something we could improve on here? cc @travisn i really don't think "security is hard" is a good reason not to do it. it'll also require some effort for users to change this config variable to open the back door, but i'd much rather see that effort spent on enabling TLS |
what was the context for this tracker issue? is this proxy configuration common in rook? |
its is not exactly the case of "security is hard". without this fix, in an environment where RGW do not use TLS, we are forcing the use of TLS in RGW because we want to send notifications to AMQP. |
|
as discussed in the standup, adding a "backdoor" is usually a bad idea :-) |
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
the reason TLS was not working properly in rook was just a bug (being fixed here: rook/rook#9565) |
|
going to reopen this, as this was specifically requested by users. |
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
yuvalif
force-pushed
the
wip-yuval-fix-50611
branch
from
bb13593
to
6a5d175
Compare
src/common/options/rgw.yaml.in
Outdated
| - name: rgw_allow_secrets_in_cleartext | ||
| type: bool | ||
| level: advanced | ||
| desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages |
There was a problem hiding this comment.
please use an option name that's specific to pubsub or notifications
in the description, please add some strong wording that this is a security vulnerability and should never be used in production
this is related to rgw_trust_forwarded_https, so a see_also: would be helpful
There was a problem hiding this comment.
@cbodley please see: https://github.com/ceph/ceph/pull/43436/files#diff-32e4985985c3a5adaddfe7a70c31a1112eb5887cd1149a967dac5bc303487903R3566-R3569
let me know if this is enough.
src/rgw/rgw_rest_pubsub_common.cc
Outdated
| bool verify_transport_security(CephContext *cct, const RGWEnv& env) { | ||
| if (g_conf().get_val<bool>("rgw_allow_secrets_in_cleartext")) { | ||
| return true; | ||
| } | ||
| return rgw_transport_is_secure(cct, env); |
There was a problem hiding this comment.
can we please add a scary warning message at log level 0 whenever this override is triggered?
There was a problem hiding this comment.
yuvalif
force-pushed
the
wip-yuval-fix-50611
branch
from
6a5d175
to
3e46144
Compare
|
teuthology passing after the latest changes: http://pulpito.front.sepia.ceph.com/yuvalif-2022-07-26_04:07:30-rgw:notifications-wip-yuval-fix-50611-distro-default-smithi/ |
|
@cbodley can you please review? |
|
@yuvalif i'm still against adding an intentional security hole here. if we know that we're leaking credentials, but it's okay because we're on a private network, then why do we need password authentication for the message broker? would it be an acceptable workaround to configure the notification endpoints without passwords instead? |
not really. the configuration of the brokers is often managed differently than ceph. |
|
i still don't understand what use case we're targeting here if this is just for demos/testing, you can set up the notification endpoint without passwords if this is for production use, then we should enforce real security. let's encrypt is an easy alternative to self-signed certificates. a google search for "kubernetes let's encrypt" comes up with a bunch of hits |
these are requirements from users. |
src/common/options/rgw.yaml.in
Outdated
| type: bool | ||
| level: advanced | ||
| desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages. | ||
| long_desc: When bucket notification ednpoints require secrets (e.g. passwords), |
src/common/options/rgw.yaml.in
Outdated
| level: advanced | ||
| desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages. | ||
| long_desc: When bucket notification ednpoints require secrets (e.g. passwords), | ||
| we allow the topic creation only over encrypted HTTP messages. |
src/common/options/rgw.yaml.in
Outdated
| long_desc: When bucket notification ednpoints require secrets (e.g. passwords), | ||
| we allow the topic creation only over encrypted HTTP messages. | ||
| This parameter can be set to "true" to bypass this check. | ||
| Use this only if secure connection cannot be established with the radosgw, |
There was a problem hiding this comment.
please clarify what it means when security 'cannot be established'
src/common/options/rgw.yaml.in
Outdated
| these messages could be intercepted and or else malicious users will be able to | ||
| access the notification endpoints, to write and read messages from them. |
There was a problem hiding this comment.
Otherwise, this will leak the credentials of your message broker and compromise its security.
yuvalif
force-pushed
the
wip-yuval-fix-50611
branch
from
3e46144
to
7407f25
Compare
|
jenkins test make check |
src/common/options/rgw.yaml.in
Outdated
| type: bool | ||
| level: advanced | ||
| desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages. | ||
| long_desc: When bucket notification ednpoint require secrets (e.g. passwords), |
| leak the credentials of your message broker and compromise its security. | ||
| default: false | ||
| services: | ||
| - rgw |
There was a problem hiding this comment.
see_also:
- rgw_trust_forwarded_https
src/common/options/rgw.yaml.in
Outdated
| Use this only if secure connection cannot be established with the radosgw | ||
| (e.g. a proxy in front of radosgw is used for ssl termination), and if the | ||
| network through which these requests are sent is trusted. Otherwise, this will |
There was a problem hiding this comment.
rgw_trust_forwarded_https already covers the case where a proxy is terminating ssl. how about this wording?
Use this only if radosgw is on a trusted private network, and the message broker cannot be configured without password authentication.
yuvalif
force-pushed
the
wip-yuval-fix-50611
branch
from
7407f25
to
63b3a24
Compare
|
jenkins test make check |
yuvalif
force-pushed
the
wip-yuval-fix-50611
branch
from
63b3a24
to
aba13d8
Compare
|
jenkins test make check |
|
jenkins test api |
…text rgw_allow_notification_secrets_in_cleartext conf parameter was added for that Fixes: https://tracker.ceph.com/issues/50611 Signed-off-by: Yuval Lifshitz <ylifshit@redhat.com>
yuvalif
force-pushed
the
wip-yuval-fix-50611
branch
from
aba13d8
to
b064c2a
Compare
|
RGW crash seen here: http://qa-proxy.ceph.com/teuthology/yuvalif-2022-08-23_09:52:18-rgw-wip-yuval-fix-50611-distro-default-smithi/6987728/teuthology.log seems like this is happening due to this line: https://github.com/ceph/ceph/pull/43436/files#diff-7dd5f6f1e1de636d2699c66e02f38ca4e255a48f14304f8ad54b6c68e9248e94R15 this may also be what causes the API tests to fail: https://jenkins.ceph.com/job/ceph-api/43162/ |
probably not related to this PR. same crashes are also seen here: #47507 tracker already exists: https://tracker.ceph.com/issues/57195 |
|
jenkins test api |
|
|
thanks @yuvalif, sorry i was a pain about this one! i'm happy with the result here, nice work 👍 |
rgw_allow_secrets_in_cleartext conf parameter was added for that
Fixes: https://tracker.ceph.com/issues/50611
Signed-off-by: Yuval Lifshitz ylifshit@redhat.com
Testing
run vstart cluster:
behavior should not change by default, so the following command should fail:
however, after setting the parameter to "true":
topic creation with user and password over non-secure connection should be ok:
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume tox