Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server: avoid considering non-authenticated reqs as root-authenticated #45125

Closed
wants to merge 2 commits into from
Closed

server: avoid considering non-authenticated reqs as root-authenticated #45125

wants to merge 2 commits into from

Conversation

knz
Copy link
Contributor

@knz knz commented Feb 14, 2020

Fixes #45018.

First commit from #45119.

Prior to this patch, the impl code for the various RPCs
were assuming that the lack of a username in their incoming context
implied that the connection necessarily had already been
authenticated for the root user.

This assumption does not seem to be substantiated anywhere.
Even if the current structure of the code may have made this true
by accident, there is no guardrail that enforces it.

This patch rectifies the situation by lifting the assumption.
This changes the requirement for the conn acceptors to always
populate the username metadata.

Release note: None

@knz knz requested a review from andreimatei February 14, 2020 21:53
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@knz knz added this to To do in DB Server & Security via automation Feb 14, 2020
@knz
server: fix broken /health
0cb85f2 
This patch fixes `/health` by ensuring it does not require
authentication, does not perform KV operations and does not expose
sensitive details.

Reminder, for posterity:

- `/_status/v1/details` exposes health, readiness and node details,
  which is potentially privileged information. This requires an
  authenticated admin user. It also performs a KV operation for
  authentication and thus subject to cluster availability.

- `/_admin/v1/health` only exposes health and readiness. It
  is non-privileged and does not require authentication. It does
  not perform KV operations and is thus not subject to cluster
  availability.

- `/health` is now an alias for `/_admin/v1/health`.  (It used to be a
  non-authenticated alias for `/_status/v1/details` which was both a UX
  and security bug. See release notes below for details.)

- both `/health` and `/_admin/v1/health` accept a boolean flag e.g.
  via `?ready=1`. When `ready` is specified, a HTTP error is returned if
  the node is up but not able to accept client connections, or not live,
  or shutting down. When `ready` is *not* specified, a HTTP success is
  always returned if the node is up, even when it cannot accept client
  connections or is not live.

Release note (security update): The non-authenticated `/health` HTTP
endpoint was previously exposing the private IP address of the node,
which can be privileged information in some deployments. This has been
corrected. Deployments using automation to retrieve a node build
details, address details etc should use `/_status/v1/details` instead
and use a valid admin authentication cookie.

Release note (bug fix): Accesses to `/health` do not hang any more
when a node is currently under load or if a system range is
unavailable.
@knz
server: avoid considering non-authenticated reqs as root-authenticated
d7b3ca9 
Prior to this patch, the impl code for the various RPCs
were assuming that the lack of a username in their incoming context
implied that the connection *necessarily* had already been
authenticated for the `root` user.

This assumption does not seem to be substantiated anywhere.
Even if the current structure of the code may have made this true
by accident, there is no guardrail that enforces it.

This patch rectifies the situation by lifting the assumption.
This changes the requirement for the conn acceptors to always
populate the username metadata.

Release note: None
@knz knz requested a review from a team as a code owner February 15, 2020 01:30
@knz knz moved this from To do to In progress in DB Server & Security Feb 15, 2020
@knz knz moved this from In progress to Legacy debt in DB Server & Security Apr 21, 2020
@tbg tbg added the X-noremind Bots won't notify about PRs with X-noremind label May 6, 2021
@knz knz removed the X-noremind Bots won't notify about PRs with X-noremind label May 6, 2021
@knz knz marked this pull request as draft May 6, 2021 10:42
@knz
Copy link
Contributor Author

knz commented Feb 2, 2023

This PR was an attempt to fix some of the shortcomings now identified in #96427. It was very incomplete, and also based off incomplete understanding. We should re-do this work.

@knz knz closed this Feb 2, 2023
DB Server & Security automation moved this from Tech debt & Grouping attempts to Done 21.2 Feb 2, 2023
@knz knz deleted the 20200214-disauth branch February 2, 2023 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andreimatei andreimatei Awaiting requested review from andreimatei

Assignees
No one assigned
Labels
None yet
Projects
DB Server & Security
  
Done 21.2
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

server: unauthenticated http requests running as root by default?
3 participants
@knz @cockroach-teamcity @tbg