Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-20.2: security: allow colons in cert-principal-map principals #67811

Merged
merged 1 commit into from
Jul 20, 2021
Merged

release-20.2: security: allow colons in cert-principal-map principals #67811

merged 1 commit into from
Jul 20, 2021

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented Jul 20, 2021
edited by knz
Loading

Backport 1/1 commits from #67703 on behalf of @bobvawter.

/cc @cockroachdb/release

Customers whose internal certificate authority issues certificates with colons
in the principal name were unable to use the cert-principal-map flag.

This change makes the flag-parsing logic split each mapping on the last colon
in the mapping. This does not change the interpretation of existing uses of the
flag, but allows principal names with colons to be used without any need for
escape sequences.

Fixes #66435

Release note (cli change): The cert-principal-map flag now allows the
certificate principal name to contain colons.

Release justification: low risk, high benefit changes to existing functionality

@blathers-crl blathers-crl bot requested a review from a team as a code owner July 20, 2021 16:54
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-20.2-67703 branch from 108192d to 92d00c2 Compare July 20, 2021 16:54
@blathers-crl blathers-crl bot requested a review from knz July 20, 2021 16:54
@blathers-crl
Copy link
Author

blathers-crl bot commented Jul 20, 2021
edited by knz
Loading

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Patches should only be created for serious issues.
  • Patches should not break backwards-compatibility.
  • Patches should change as little code as possible.
  • Patches should not change on-disk formats or node communication protocols.
  • Patches should not add new functionality.
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

  • What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
  • Will this work in a cluster of mixed patch versions? Did we test that?
  • If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@bobvawter
security: allow colons in cert-principal-map principals
cd61134 
Customers whose internal certificate authority issues certificates with colons
in the principal name were unable to use the cert-principal-map flag.

This change makes the flag-parsing logic split each mapping on the last colon
in the mapping. This does not change the interpretation of existing uses of the
flag, but allows principal names with colons to be used without any need for
escape sequences.

Fixes #66435

Release note (security update): The cert-principal-map flag now allows the
certificate principal name to contain colons.

Release justification: This is a trivial and backwards-compatible change to how
the cert-principal-map CLI flag is interpreted. Not having this is blocking a
customer from rolling CockroachDB out into production.
@bobvawter bobvawter force-pushed the blathers/backport-release-20.2-67703 branch from 92d00c2 to cd61134 Compare July 20, 2021 17:00
@bobvawter bobvawter merged commit 8e04bb2 into release-20.2 Jul 20, 2021
@bobvawter bobvawter deleted the blathers/backport-release-20.2-67703 branch July 20, 2021 17:57
@mikeCRL mikeCRL mentioned this pull request Nov 22, 2021
Open
@exalate-issue-sync exalate-issue-sync bot mentioned this pull request Jun 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knz knz knz approved these changes

Assignees

@bobvawter bobvawter

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cockroach-teamcity @knz @bobvawter