New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw/notification: allow sending bucket notifications secrets in cleartext #43436
Conversation
src/rgw/rgw_rest_pubsub_common.cc
Outdated
@@ -24,7 +31,7 @@ bool validate_and_update_endpoint_secret(rgw_pubsub_sub_dest& dest, CephContext | |||
ceph_assert(user.empty() == password.empty()); | |||
if (!user.empty()) { | |||
dest.stored_secret = true; | |||
if (!rgw_transport_is_secure(cct, env)) { | |||
if (!verify_security(cct, env)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should still indicate transport security, non?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
verify_security()
calls rgw_transport_is_secure()
if the flag is not set.
if the flag is set there is no need to check for transport security, because we allow for user/password on non-secure transport
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there are many aspects of security this won't disable, e.g., secure authentication
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not disabling anything. only thing it allows is sending "secrets" (e.g. user/password) on non-secure transport
maybe i should name this function differently?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's all I was saying
e37b695
to
bb13593
Compare
|
see #24700 for some more background on |
i don't think that would work. in
so, if the conf parameter is set to "true" we won't enter the "if" statement. |
which if statement? setting it to true makes |
this is done right :-) but it does not help in the case of this PR |
ok i was going by what the tracker issue said. but do we really want to be insecure here? i still think it should be a requirement |
this is why it is only disabled by a conf parameter (which is "false" by default). |
i had assumed that kubernetes made this easy with its secrets; is there something we could improve on here? cc @travisn i really don't think "security is hard" is a good reason not to do it. it'll also require some effort for users to change this config variable to open the back door, but i'd much rather see that effort spent on enabling TLS |
what was the context for this tracker issue? is this proxy configuration common in rook? |
its is not exactly the case of "security is hard". without this fix, in an environment where RGW do not use TLS, we are forcing the use of TLS in RGW because we want to send notifications to AMQP. |
as discussed in the standup, adding a "backdoor" is usually a bad idea :-) |
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
the reason TLS was not working properly in rook was just a bug (being fixed here: rook/rook#9565) |
going to reopen this, as this was specifically requested by users. |
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
bb13593
to
6a5d175
Compare
src/common/options/rgw.yaml.in
Outdated
- name: rgw_allow_secrets_in_cleartext | ||
type: bool | ||
level: advanced | ||
desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use an option name that's specific to pubsub or notifications
in the description, please add some strong wording that this is a security vulnerability and should never be used in production
this is related to rgw_trust_forwarded_https
, so a see_also:
would be helpful
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cbodley please see: https://github.com/ceph/ceph/pull/43436/files#diff-32e4985985c3a5adaddfe7a70c31a1112eb5887cd1149a967dac5bc303487903R3566-R3569
let me know if this is enough.
src/rgw/rgw_rest_pubsub_common.cc
Outdated
bool verify_transport_security(CephContext *cct, const RGWEnv& env) { | ||
if (g_conf().get_val<bool>("rgw_allow_secrets_in_cleartext")) { | ||
return true; | ||
} | ||
return rgw_transport_is_secure(cct, env); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we please add a scary warning message at log level 0 whenever this override is triggered?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6a5d175
to
3e46144
Compare
teuthology passing after the latest changes: http://pulpito.front.sepia.ceph.com/yuvalif-2022-07-26_04:07:30-rgw:notifications-wip-yuval-fix-50611-distro-default-smithi/ |
@cbodley can you please review? |
@yuvalif i'm still against adding an intentional security hole here. if we know that we're leaking credentials, but it's okay because we're on a private network, then why do we need password authentication for the message broker? would it be an acceptable workaround to configure the notification endpoints without passwords instead? |
not really. the configuration of the brokers is often managed differently than ceph. |
i still don't understand what use case we're targeting here if this is just for demos/testing, you can set up the notification endpoint without passwords if this is for production use, then we should enforce real security. let's encrypt is an easy alternative to self-signed certificates. a google search for "kubernetes let's encrypt" comes up with a bunch of hits |
these are requirements from users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add some strong wording that this is a security vulnerability and should never be used in production
i don't think the language was strong enough in this regard
src/common/options/rgw.yaml.in
Outdated
type: bool | ||
level: advanced | ||
desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages. | ||
long_desc: When bucket notification ednpoints require secrets (e.g. passwords), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ednpoints
src/common/options/rgw.yaml.in
Outdated
level: advanced | ||
desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages. | ||
long_desc: When bucket notification ednpoints require secrets (e.g. passwords), | ||
we allow the topic creation only over encrypted HTTP messages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HTTPS
src/common/options/rgw.yaml.in
Outdated
long_desc: When bucket notification ednpoints require secrets (e.g. passwords), | ||
we allow the topic creation only over encrypted HTTP messages. | ||
This parameter can be set to "true" to bypass this check. | ||
Use this only if secure connection cannot be established with the radosgw, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please clarify what it means when security 'cannot be established'
src/common/options/rgw.yaml.in
Outdated
these messages could be intercepted and or else malicious users will be able to | ||
access the notification endpoints, to write and read messages from them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Otherwise, this will leak the credentials of your message broker and compromise its security.
3e46144
to
7407f25
Compare
jenkins test make check |
src/common/options/rgw.yaml.in
Outdated
type: bool | ||
level: advanced | ||
desc: Allows sending secrets (e.g. passwords) over non encrypted HTTP messages. | ||
long_desc: When bucket notification ednpoint require secrets (e.g. passwords), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ednpoint
leak the credentials of your message broker and compromise its security. | ||
default: false | ||
services: | ||
- rgw |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see_also:
- rgw_trust_forwarded_https
src/common/options/rgw.yaml.in
Outdated
Use this only if secure connection cannot be established with the radosgw | ||
(e.g. a proxy in front of radosgw is used for ssl termination), and if the | ||
network through which these requests are sent is trusted. Otherwise, this will |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rgw_trust_forwarded_https
already covers the case where a proxy is terminating ssl. how about this wording?
Use this only if radosgw is on a trusted private network, and the message broker cannot be configured without password authentication.
7407f25
to
63b3a24
Compare
jenkins test make check |
63b3a24
to
aba13d8
Compare
jenkins test make check |
jenkins test api |
…text rgw_allow_notification_secrets_in_cleartext conf parameter was added for that Fixes: https://tracker.ceph.com/issues/50611 Signed-off-by: Yuval Lifshitz <ylifshit@redhat.com>
aba13d8
to
b064c2a
Compare
RGW crash seen here: http://qa-proxy.ceph.com/teuthology/yuvalif-2022-08-23_09:52:18-rgw-wip-yuval-fix-50611-distro-default-smithi/6987728/teuthology.log
seems like this is happening due to this line: https://github.com/ceph/ceph/pull/43436/files#diff-7dd5f6f1e1de636d2699c66e02f38ca4e255a48f14304f8ad54b6c68e9248e94R15 this may also be what causes the API tests to fail: https://jenkins.ceph.com/job/ceph-api/43162/ |
probably not related to this PR. same crashes are also seen here: #47507 tracker already exists: https://tracker.ceph.com/issues/57195 |
jenkins test api |
|
thanks @yuvalif, sorry i was a pain about this one! i'm happy with the result here, nice work 👍 |
rgw_allow_secrets_in_cleartext conf parameter was added for that
Fixes: https://tracker.ceph.com/issues/50611
Signed-off-by: Yuval Lifshitz ylifshit@redhat.com
Testing
run vstart cluster:
behavior should not change by default, so the following command should fail:
however, after setting the parameter to "true":
topic creation with user and password over non-secure connection should be ok:
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox