security: Extend cert-principal-map to other x509 attributes #118750
Assignees
Labels
A-authentication
Pertains to authn subsystems
branch-release-24.1
Used to mark GA and release blockers and technical advisories for 24.1
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
GA-blocker
T-cross-product-security
Projects
Comments
bdarnell
added
C-enhancement
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Mar 25, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce the provided certificate by client to exactly match the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
exalate-issue-sync
bot
added
T-cross-product-security
and removed
T-sql-foundations
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Mar 28, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce the provided certificate by client to exactly match the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Mar 28, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce the provided certificate by client to exactly match the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Mar 28, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce the provided certificate by client to exactly match the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 2, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 4, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
exalate-issue-sync
bot
added
GA-blocker
branch-release-24.1
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 8, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 8, 2024
Previous in sequence: cockroachdb#119958 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
blathers-crl bot
pushed a commit
that referenced
this issue
Apr 9, 2024
Previous in sequence: #119958 informs #110616, #118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding 2 new cli flags `root-cert-distinguished-name` and `node-cert-distinguished-name` to provide option to have subject DN for root and node user during server startup. This will enforce that certificate provided by client exactly matches the value set by the above flags both for sql client and RPC authentication. This is needed because subject role option cannot be set for root and node users. Post this the plan is to add a cluster setting `server.client_cert.subject_required` which will mandate that any auth which happens should verify certSubject with rootSubject in case of root user, with nodeSubject in case of node user, with roleSubject otherwise. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 10, 2024
Previous in sequence: cockroachdb#120786 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `server.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 11, 2024
Previous in sequence: cockroachdb#120786 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `server.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 14, 2024
Previous in sequence: cockroachdb#120786 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `security.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 15, 2024
Previous in sequence: cockroachdb#120786 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `security.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None
souravcrl
added a commit
to souravcrl/cockroach
that referenced
this issue
Apr 15, 2024
Previous in sequence: cockroachdb#120786 informs cockroachdb#110616, cockroachdb#118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `security.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None
craig bot
pushed a commit
that referenced
this issue
Apr 15, 2024
122105: rpc,security,sql,cli: Add subject_required cluster setting r=bdarnell a=souravcrl Previous in sequence: #120786 informs #110616, #118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `server.client_cert.subject_required` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None Co-authored-by: Sourav Sarangi <sourav.sarangi@cockroachlabs.com>
blathers-crl bot
pushed a commit
that referenced
this issue
Apr 15, 2024
Previous in sequence: #120786 informs #110616, #118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `security.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None
blathers-crl bot
pushed a commit
that referenced
this issue
Apr 15, 2024
Previous in sequence: #120786 informs #110616, #118750 fixes CRDB-35884 Epic CRDB-34126 We will be adding a cluster setting `security.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert. Release note: None
souravcrl
added a commit
that referenced
this issue
Apr 15, 2024
Previous in sequence: #120786 informs #110616, #118750 fixes CRDB-35884 Epic CRDB-34126 Release note: We will be adding a cluster setting `security.client_cert.subject_required.enabled` which will mandate a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert.
souravcrl
added a commit
that referenced
this issue
Apr 15, 2024
Previous in sequence: #120786 informs #110616, #118750 fixes CRDB-35884 Epic CRDB-34126 Release note (security update): We are adding a cluster setting `security.client_cert.subject_required.enabled` which mandates a requirement for role subject to be set either through subject role option or root-cert-distinguished-name and node-cert-distinguished-name. It controls both RPC access and login via authCert.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The typical case for CRDB node certificates is to have CN (or SAN) set to
node. In organizations with security policies that forbid unqualified or shared names, we support the--cert-principal-mapflag to map other CN or SAN values tonode(or other SQL usernames).However, this is painful to use because
--cert-principal-mapcan only be updated with a node restart, and the same policies that require its use often require the mapping to be updated with each new node added to the cluster, because each node has a unique CN or SAN.Describe the solution you'd like
We should have a way to identify node certificates via other attributes of the distinguished name in the certificate. Exact syntax TBD, but something like
--node-cert-distinguished-name=O="ACME, Inc.", OU="Order Processing Team"Describe alternatives you've considered
Moving the
--cert-principal-mapto a cluster setting would remove the need to restart a node. But cluster settings cannot be set until node certificates and inter-node communications are working (and the need to update the setting is an annoying extra step).Additional context
#110616 proposes distinguished name matching for SQL client certs. These rules are going to be managed within the database because they don't pose the cluster startup problems that node certs do.
Jira issue: CRDB-35884
Epic CRDB-34126
The text was updated successfully, but these errors were encountered: