Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-20.2: cli: report on the undesirability of --insecure differently #55025

Merged
merged 1 commit into from Sep 30, 2020
Merged

release-20.2: cli: report on the undesirability of --insecure differently #55025

merged 1 commit into from Sep 30, 2020

Conversation

knz
Copy link
Contributor

@knz knz commented Sep 30, 2020

Backport 1/1 commits from #54927.

/cc @cockroachdb/release

@knz
cli: report on the undesirability of --insecure differently
dd4b3d2 
Two changes here:

- do not report a penalty in client commands using a warning;
  the choice to use insecure mode is done by the server's
  administrator and clients cannot influence it.

- make the command-line flag visible in the `--help` text again,
  but with a clearer explanation of its effects.

Example server warning, in v20.1 ("before"):
```
* WARNING: RUNNING IN INSECURE MODE!
*
* - Your cluster is open for any client that can access <all your IP addresses>.
* - Any user, even root, can log in without providing a password.
* - Any user, connecting as root, can read or write any data in your cluster.
* - There is no network encryption nor authentication, and thus no confidentiality.
*
* Check out how to secure your cluster: https://www.cockroachlabs.com/docs/v20.1/secure-a-cluster.html
```

Example server warning, in v20.2 ("after"):
```
* WARNING: ALL SECURITY CONTROLS HAVE BEEN DISABLED!
*
* This mode is intended for non-production testing only.
*
* In this mode:
* - Your cluster is open to any client that can access any of your IP addresses.
* - Intruders with access to your machine or network can observe client-server traffic.
* - Intruders can log in without password and read or write any data in the cluster.
* - Intruders can consume all your server's resources and cause unavailability.
*
*
* INFO: To start a secure server without mandating TLS for clients,
* consider --accept-sql-without-tls instead. For other options, see:
*
* - https://go.crdb.dev/issue-v/53404/v20.2
* - https://www.cockroachlabs.com/docs/v20.2/secure-a-cluster.html
```

Example `--help` text for *client* commands, before:
```
Connect to an insecure cluster. This is strongly discouraged for
production usage.
```

After:
```
Connect to a cluster without using TLS nor authentication. This makes
the client-server connection vulnerable to MITM attacks. Use with care.
```

Example `--help` text for *server* commands, before:
```
Start an insecure node, using unencrypted (non-TLS) connections,
listening on all IP addresses (unless --listen-addr is provided) and
disabling password authentication for all database users. This is
strongly discouraged for production usage and should never be used on a
public network without combining it with --listen-addr.
```

After:
```
Start a node with all security controls disabled. There is no
encryption, no authentication and internal security checks are also
disabled. This makes any client able to take over the entire cluster.

This flag is only intended for non-production testing.

Beware that using this flag on a public network without --listen-addr
is likely to cause the entire host server to become compromised.

To simply accept non-TLS connections for SQL clients while keeping the
cluster secure, consider using --accept-sql-without-tls instead. Also
see: https://go.crdb.dev/issue-v/53404/v20.2
```

Release note (cli change): The `--help` texts and informational
messages upon server start-up have been modified to better inform
the user about the nature and risks of the `--insecure` flag.
@knz knz requested review from bdarnell and tbg September 30, 2020 08:58
@knz knz requested a review from a team as a code owner September 30, 2020 08:58
@knz knz added this to In progress in DB Server & Security via automation Sep 30, 2020
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@knz knz merged commit 50642b8 into cockroachdb:release-20.2 Sep 30, 2020
DB Server & Security automation moved this from In progress to Done 21.1 Sep 30, 2020
@knz knz deleted the backport20.2-54927 branch September 30, 2020 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tbg tbg tbg approved these changes

@bdarnell bdarnell Awaiting requested review from bdarnell

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@knz @cockroach-teamcity @tbg