security: missing support for GSS encryption (not authentication) #52184
Comments
knz
added
C-enhancement
knz
added this to Triage
in SQL Features (Deprecated - use SQL Experience board)
via automation
|
@thtruo @aaron-crl @dbist - could you review this and provide feedback about how much customer ask there is for this, and/or how much product value we would create by investing into it. |
|
@BramGruneir any context from your customerbase you can add? |
|
In PCI compliant environments this would be critical though having this capability with TLS makes it hard to justify one over the other. I think consolidating on TLS or GSS for both authN and transport encryption is a welcome addition but whether it is a high priority ask I won't know until customers ask for it. |
|
I'm not sure how much of a concern: "most client drivers don't know how to verify the server identity using GSSAPI unless GSSAPI transport encryption is enabled" is in practice. Let's see how much of a customer demand there is for this before delving too deep here. There are other ways to solve the problem in a PCI environment that do not require application support for GSS. Depending on configuration, other transport level security mechanics are possible including things like IPSec at the OS level where the tunnel is negotiated using GSS primitives. |
solongordon
moved this from Triage
to Backlog
in SQL Features (Deprecated - use SQL Experience board)
|
I evaluated #3 by connecting to a kerberized cluster with root user using cert and a kerberos principal as well. Both showed connection I200817 19:06:12.898466 2878 sql/pgwire/conn.go:226 [n1,client=172.28.1.7:56844,hostssl,user=sqlalchemy] 14 session terminated; duration: 240.3243ms
|
|
When a user attempts to use GSS encryption, the server just logs an inscrutable message: |
knz
added
the
X-anchored-telemetry
|
adding telemetry for this in #63734 |
GSS encryption is not yet supported: cockroachdb#52184 This patch adds telemetry for attempted uses and a better message in clients. Release note: None
63616: ccl/sqlproxyccl: adding cert manager to allow cert rotation on SIGHUP r=darinpp a=darinpp Previously the proxy didn't process SIGHUP and wasn't reloading the certificates when SIGHUP is sent to the process. This is a problem as rotating certificates requires restart and this desirable. This PR adds a certification manager that monitors for SIGHUP and reloads the managed certificates automatically. A similar code exists for the cockroach executable but the code there is very specific for the set of certificates that cockroach db uses. The one provided in this PR is generic and can be used as a building block in any application. The code that utilized the cert manager is not part of this PR and will be committed with the changes in the main proxy code. This is in separate PR to make the review easier. We currently have a cert manager that cockroachdb used in `pkg/security`. This PR can be used as a base of the existing code. The first step of refactoring the existing code is pulling aside a generic version of a cert manager that can do part of what `pkg/security` needs and can also do what proxy needs. So this PR does this. The second step however is to change the existing code to create a instantiate the generic cert manager, put in it the set of certs applicable to cockroach db and remove the current signal handler. This can happen in another PR. Release note: None 63734: pgwire: report telemetry for GSS encryption r=bdarnell a=knz GSS encryption is not yet supported: #52184 This patch adds telemetry for attempted uses and a better message in clients. Release note: None Co-authored-by: Darin Peshev <darinp@gmail.com> Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
GSS encryption is not yet supported: cockroachdb#52184 This patch adds telemetry for attempted uses and a better message in clients. Release note: None
knz
added
the
A-server-networking
|
@knz, I know this is the "cold storage", but I would like to check.
Thanks |
|
crdb CLI already can use kerberos authentication (albeit over TLS). We even test it in CI. |
GSSAPI defines security primitives at multiple levels. It is really a competing stack to TLS.
In PostgreSQL, both GSSAPI client authentication and transport encryption are supported separately.
The "best practice" for deployment in a GSS environment is to use them hand-in-hand.
In CockroachDB, we only support GSSAPI client authentication, but not GSSAPI transport encryption.
Here's the combination of features:
Why this matters:
So it's likely that CockroachDB would be better off supporting GSSAPI transport encryption (and the
hostgssencdirectives in the HBA config) in addition to TLS, to ease deployments with kerberos infrastructures.Jira issue: CRDB-3975
The text was updated successfully, but these errors were encountered: