Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: new command `auth-session {login,logout,list}` #43872

Merged
merged 1 commit into from Jan 17, 2020

Conversation

@knz
Copy link
Member

knz commented Jan 10, 2020

Fixes #43870.

tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the root user without an
Enterprise license.

Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version.

Motivation: users who wish to use certain HTTP monitoring tools,
in particular those that retrieve privileged information like logs,
need a valid HTTP authentication token for an admin user (#42567). This token
can be constructed by accessing the HTTP endpoint /login, however:

  • manually crafting the token using /login is cumbersome;
  • it's not possible to use /login for the root user (#43847);
  • it's not possible to create another admin user than root without
    a valid Enterprise license (because that requires role management).

Solution:

cockroach auth-session login <username> [--expire-after=...] [--only-cookie]
cockroach auth-session logout <username>
cockroach auth-session list
  • all three commands also support the standard SQL command-line
    arguments, e.g. --url, --certs-dir, --echo-sql and
    --format.
  • the --expire-after argument customizes the expiry period. The
    default is one hour.
  • the --only-cookie arguments limits the output of the command
    to just the HTTP cookie. By default, the session ID and
    the authentication cookie are printed using regular table formatting.

Also see the two release notes below.

Release note (cli change): Three new CLI commands cockroach auth-session login, cockroach auth-session list and cockroach auth-session logout are now provided to facilitate the management of
web sessions. The command auth-session login also produces a HTTP
cookie which can be used by non-interactive HTTP-based database
management tools. It also can generate such a cookie for the root
user, who would not otherwise be able to do so using a web browser.

Release note (security update): The new command cockroach auth-session login (reserved to administrators) is able to create
authentication tokens with an arbitrary expiration date. Operators
should be careful to monitor system.web_sessions and enforce
policy-mandated expirations either using SQL queries or the new
command cockroach auth-session logout.

@knz knz requested review from rolandcrosby and aaron-crl Jan 10, 2020
@knz knz requested a review from cockroachdb/cli-prs as a code owner Jan 10, 2020
@cockroach-teamcity

This comment has been minimized.

Copy link
Member

cockroach-teamcity commented Jan 10, 2020

This change is Reviewable

@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 10, 2020

This change has zero impact on the stability of the server side and is suitable for backporting to 19.2, 19.1 and 2.1.

@knz knz force-pushed the knz:20190110-cli-auth branch 3 times, most recently from f1afc12 to c9d19f6 Jan 10, 2020
@knz knz moved this from To do to In progress in Command Line Interface (CLI) Jan 13, 2020
@aaron-crl

This comment has been minimized.

Copy link
Collaborator

aaron-crl commented Jan 13, 2020

I don't have depth of knowledge in the codebase to review for implementation correctness yet so we should probably loop in another engineer for that.

(1) What functionality is available given an auth token (does this expose more than metrics/logging)?
(2) How hard would it be to delegate access to metrics and logging to another role/user in non-enterprise clusters?

@knz knz force-pushed the knz:20190110-cli-auth branch from c9d19f6 to 42228dd Jan 14, 2020
@knz knz requested review from ajwerner and removed request for rolandcrosby Jan 14, 2020
@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 14, 2020

I don't have depth of knowledge in the codebase to review for implementation correctness yet so we should probably loop in another engineer for that.

👍 I trust @ajwerner can help

(1) What functionality is available given an auth token (does this expose more than metrics/logging)?

It gives access to the web UI and all that you can do via the HTTP endpoint using that user's credentials (mostly defined via its SQL privileges and admin role membership).

(I think that inventorizing what is (or is not) available for UI users is out of scope of this PR? WDYT? Unless you were asking out of general curiosity)

(2) How hard would it be to delegate access to metrics and logging to another role/user in non-enterprise clusters?

  • metrics: not hard, although I believe they are not restricted today? (I can check)
  • logs: insanely hard -- 50-80% of our logging information can potentially leak sensitive data, including user credentials, and introducing infrastructure to enforce sensitive field redaction throughout our source code would be a huge task.

Also here again I would be sympathetic to an effort to pre-define an "operator" role/user as a feature, but maybe that would be a different/orthogonal issue?

@aaron-crl

This comment has been minimized.

Copy link
Collaborator

aaron-crl commented Jan 14, 2020

I think the ability for administrators to revoke sessions is a great feature add.

Aside from that, this doesn't seem like it functionally changes the security controls in place but it does make it more likely that a credential will be used it ways that might expose it to an attacker.

(3) Given that this token is analogous to a web user's valid credentials, what logging events or other mitigating controls (if any) would improve the ability to detect or stop token misuse?

(4) Re 2: Would it be possible to define a read-only log consumer role to prepare for a point in the future where sanitized or more granular logging is possible? If so, let's create another issue to track and prioritize that.

Copy link
Collaborator

ajwerner left a comment

Other than using the flag you added :lgtm:

Reviewed 6 of 7 files at r1.
Reviewable status: :shipit: complete! 1 of 0 LGTMs obtained (waiting on @aaron-crl, @ajwerner, and @knz)


pkg/cli/auth.go, line 57 at r1 (raw file):

	}

	expiration := timeutil.Now().Add(1 * time.Hour)

should this use authCtx.validityPeriod?


pkg/cli/auth.go, line 59 at r1 (raw file):

	expiration := timeutil.Now().Add(1 * time.Hour)

	insertSessionStmt := `

Would it make sense to verify that a user with the name username exists?

Copy link
Member Author

knz left a comment

Reviewed 7 of 7 files at r2.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (and 1 stale) (waiting on @aaron-crl and @ajwerner)


pkg/cli/auth.go, line 57 at r1 (raw file):

Previously, ajwerner wrote…

should this use authCtx.validityPeriod?

🤦‍♂ yes. Fixed.


pkg/cli/auth.go, line 59 at r1 (raw file):

Previously, ajwerner wrote…

Would it make sense to verify that a user with the name username exists?

I guess it would make sense. Added.

@knz knz force-pushed the knz:20190110-cli-auth branch from 2f189c4 to ebaf394 Jan 17, 2020
@knz knz changed the title cli: new commands `auth-session login` and `auth-session logout` cli: new command `auth-session {login,logout,list}` Jan 17, 2020
@knz knz force-pushed the knz:20190110-cli-auth branch from ebaf394 to 933b4a4 Jan 17, 2020
@knz knz force-pushed the knz:20190110-cli-auth branch 2 times, most recently from 231390a to 7cd0d83 Jan 17, 2020
@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 17, 2020

bors r=ajwerner,aaron-crl

craig bot pushed a commit that referenced this pull request Jan 17, 2020
43872: cli: new command `auth-session {login,logout,list}` r=ajwerner,aaron-crl a=knz

Fixes #43870.

tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the `root` user without an
Enterprise license.

Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version.

**Motivation:** users who wish to use certain HTTP monitoring tools,
in particular those that retrieve privileged information like logs,
need a valid HTTP authentication token for an admin user (#42567). This token
can be constructed by accessing the HTTP endpoint `/login`, however:

- manually crafting the token using `/login` is cumbersome;
- it's not possible to use `/login` for the `root` user (#43847);
- it's not possible to create another admin user than `root` without
  a valid Enterprise license (because that requires role management).

**Solution:**

```
cockroach auth-session login <username> [--expire-after=...] [--only-cookie]
cockroach auth-session logout <username>
cockroach auth-session list
```

- all three commands also support the standard SQL command-line
  arguments, e.g. `--url`, `--certs-dir`, `--echo-sql` and
  `--format`.
- the `--expire-after` argument customizes the expiry period. The
  default is one hour.
- the `--only-cookie` arguments limits the output of the command
  to just the HTTP cookie. By default, the session ID and
  the authentication cookie are printed using regular table formatting.

Also see the two release notes below.

Release note (cli change): Three new CLI commands `cockroach
auth-session login`, `cockroach auth-session list` and `cockroach
auth-session logout` are now provided to facilitate the management of
web sessions. The command `auth-session login` also produces a HTTP
cookie which can be used by non-interactive HTTP-based database
management tools. It also can generate such a cookie for the `root`
user, who would not otherwise be able to do so using a web browser.

Release note (security update): The new command `cockroach
auth-session login` (reserved to administrators) is able to create
authentication tokens with an arbitrary expiration date. Operators
should be careful to monitor `system.web_sessions` and enforce
policy-mandated expirations either using SQL queries or the new
command `cockroach auth-session logout`.


Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 17, 2020

oops typo

bors r-

@craig

This comment has been minimized.

Copy link

craig bot commented Jan 17, 2020

Canceled

tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the `root` user without an
Enterprise license.

Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version.

**Motivation:** users who wish to use certain HTTP monitoring tools,
in particular those that retrieve privileged information like logs,
need a valid HTTP authentication token for an admin user. This token
can be constructed by accessing the HTTP endpoint `/login`, however:

- manually crafting the token using `/login` is cumbersome;
- it's not possible to use `/login` for the `root` user;
- it's not possible to create another admin user than `root` without
  a valid Enterprise license (because that requires role management).

**Solution:**

```
cockroach auth-session login <username> [--expire-after=...] [--only-cookie]
cockroach auth-session logout <username>
cockroach auth-session list
```

- all three commands also support the standard SQL command-line
  arguments, e.g. `--url`, `--certs-dir`, `--echo-sql` and
  `--format`.
- the `--expire-after` argument customizes the expiry period. The
  default is one hour.
- the `--only-cookie` arguments limits the output of the command
  to just the HTTP cookie. By default, the session ID and
  the authentication cookie are printed using regular table formatting.

Also see the two release notes below.

Release note (cli change): Three new CLI commands `cockroach
auth-session login`, `cockroach auth-session list` and `cockroach
auth-session logout` are now provided to facilitate the management of
web sessions. The command `auth-session login` also produces a HTTP
cookie which can be used by non-interactive HTTP-based database
management tools. It also can generate such a cookie for the `root`
user, who would not otherwise be able to do so using a web browser.

Release note (security update): The new command `cockroach
auth-session login` (reserved to administrators) is able to create
authentication tokens with an arbitrary expiration date. Operators
should be careful to monitor `system.web_sessions` and enforce
policy-mandated expirations either using SQL queries or the new
command `cockroach auth-session logout`.
@knz knz force-pushed the knz:20190110-cli-auth branch from 7cd0d83 to 593a1bb Jan 17, 2020
@knz

This comment has been minimized.

Copy link
Member Author

knz commented Jan 17, 2020

bors r=ajwerner,aaron-crl

craig bot pushed a commit that referenced this pull request Jan 17, 2020
43872: cli: new command `auth-session {login,logout,list}` r=ajwerner,aaron-crl a=knz

Fixes #43870.

tldr: this adds new CLI commands to log users in and out of the
HTTP interface and produce a HTTP cookie for use in monitoring
scripts. This is suitable for use by the `root` user without an
Enterprise license.

Also the new feature is client-side only, so the client binary with
this feature can be used with a CockroachDB server/cluster running at
an older version.

**Motivation:** users who wish to use certain HTTP monitoring tools,
in particular those that retrieve privileged information like logs,
need a valid HTTP authentication token for an admin user (#42567). This token
can be constructed by accessing the HTTP endpoint `/login`, however:

- manually crafting the token using `/login` is cumbersome;
- it's not possible to use `/login` for the `root` user (#43847);
- it's not possible to create another admin user than `root` without
  a valid Enterprise license (because that requires role management).

**Solution:**

```
cockroach auth-session login <username> [--expire-after=...] [--only-cookie]
cockroach auth-session logout <username>
cockroach auth-session list
```

- all three commands also support the standard SQL command-line
  arguments, e.g. `--url`, `--certs-dir`, `--echo-sql` and
  `--format`.
- the `--expire-after` argument customizes the expiry period. The
  default is one hour.
- the `--only-cookie` arguments limits the output of the command
  to just the HTTP cookie. By default, the session ID and
  the authentication cookie are printed using regular table formatting.

Also see the two release notes below.

Release note (cli change): Three new CLI commands `cockroach
auth-session login`, `cockroach auth-session list` and `cockroach
auth-session logout` are now provided to facilitate the management of
web sessions. The command `auth-session login` also produces a HTTP
cookie which can be used by non-interactive HTTP-based database
management tools. It also can generate such a cookie for the `root`
user, who would not otherwise be able to do so using a web browser.

Release note (security update): The new command `cockroach
auth-session login` (reserved to administrators) is able to create
authentication tokens with an arbitrary expiration date. Operators
should be careful to monitor `system.web_sessions` and enforce
policy-mandated expirations either using SQL queries or the new
command `cockroach auth-session logout`.


Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
@craig

This comment has been minimized.

Copy link

craig bot commented Jan 17, 2020

Build succeeded

@craig craig bot merged commit 593a1bb into cockroachdb:master Jan 17, 2020
3 checks passed
3 checks passed
GitHub CI (Cockroach) TeamCity build finished
Details
bors Build succeeded
Details
license/cla Contributor License Agreement is signed.
Details
Command Line Interface (CLI) automation moved this from In progress to Done 20.1 Jan 17, 2020
@knz knz deleted the knz:20190110-cli-auth branch Jan 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Linked issues

Successfully merging this pull request may close these issues.

4 participants
You can’t perform that action at this time.