Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

server: avoid considering non-authenticated reqs as root-authenticated #45125

Closed
wants to merge 2 commits into from

Conversation

knz
Copy link
Contributor

@knz knz commented Feb 14, 2020

Fixes #45018.

First commit from #45119.

Prior to this patch, the impl code for the various RPCs
were assuming that the lack of a username in their incoming context
implied that the connection necessarily had already been
authenticated for the root user.

This assumption does not seem to be substantiated anywhere.
Even if the current structure of the code may have made this true
by accident, there is no guardrail that enforces it.

This patch rectifies the situation by lifting the assumption.
This changes the requirement for the conn acceptors to always
populate the username metadata.

Release note: None

@knz knz requested a review from andreimatei February 14, 2020 21:53
@cockroach-teamcity
Copy link
Member

This change is Reviewable

This patch fixes `/health` by ensuring it does not require
authentication, does not perform KV operations and does not expose
sensitive details.

Reminder, for posterity:

- `/_status/v1/details` exposes health, readiness and node details,
  which is potentially privileged information. This requires an
  authenticated admin user. It also performs a KV operation for
  authentication and thus subject to cluster availability.

- `/_admin/v1/health` only exposes health and readiness. It
  is non-privileged and does not require authentication. It does
  not perform KV operations and is thus not subject to cluster
  availability.

- `/health` is now an alias for `/_admin/v1/health`.  (It used to be a
  non-authenticated alias for `/_status/v1/details` which was both a UX
  and security bug. See release notes below for details.)

- both `/health` and `/_admin/v1/health` accept a boolean flag e.g.
  via `?ready=1`. When `ready` is specified, a HTTP error is returned if
  the node is up but not able to accept client connections, or not live,
  or shutting down. When `ready` is *not* specified, a HTTP success is
  always returned if the node is up, even when it cannot accept client
  connections or is not live.

Release note (security update): The non-authenticated `/health` HTTP
endpoint was previously exposing the private IP address of the node,
which can be privileged information in some deployments. This has been
corrected. Deployments using automation to retrieve a node build
details, address details etc should use `/_status/v1/details` instead
and use a valid admin authentication cookie.

Release note (bug fix): Accesses to `/health` do not hang any more
when a node is currently under load or if a system range is
unavailable.
Prior to this patch, the impl code for the various RPCs
were assuming that the lack of a username in their incoming context
implied that the connection *necessarily* had already been
authenticated for the `root` user.

This assumption does not seem to be substantiated anywhere.
Even if the current structure of the code may have made this true
by accident, there is no guardrail that enforces it.

This patch rectifies the situation by lifting the assumption.
This changes the requirement for the conn acceptors to always
populate the username metadata.

Release note: None
@knz knz requested a review from a team as a code owner February 15, 2020 01:30
@tbg tbg added the X-noremind Bots won't notify about PRs with X-noremind label May 6, 2021
@knz knz removed the X-noremind Bots won't notify about PRs with X-noremind label May 6, 2021
@knz knz marked this pull request as draft May 6, 2021 10:42
@knz
Copy link
Contributor Author

knz commented Feb 2, 2023

This PR was an attempt to fix some of the shortcomings now identified in #96427. It was very incomplete, and also based off incomplete understanding. We should re-do this work.

@knz knz closed this Feb 2, 2023
@knz knz deleted the 20200214-disauth branch February 2, 2023 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

server: unauthenticated http requests running as root by default?
3 participants