release-21.2: security: remove the node TLS client cert exemption #71188
Conversation
![blathers-crl[bot]](https://avatars.githubusercontent.com/in/59700?s=60&v=4){kind=small}
This patch also fixes the TestComposeGSSPython test. Release note (security update): It is not possible any more to use a node TLS certificate to establish a SQL connection with another username than `node`. This facility had existed as an "escape hatch" so that an operator could use the node cert to perform operations on behalf of another SQL user. However, this facility is not necessary: an operator with access to a node cert can log in as `node` directly and create new credentials for another user anyway. By removing this facility, we tighten the guarantee that the principal in the TLS client cert always matches the SQL identity.
blathers-crl
bot
force-pushed
the
blathers/backport-release-21.2-71134
branch
from
986fe62
to
64c1481
Compare
blathers-crl
bot
requested review from
andy-kimball,
bdarnell,
catj-cockroach,
chrisseto and
knz
|
Thanks for opening a backport. Please check the backport criteria before merging:
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
Add a brief release justification to the body of your PR to justify this backport. Some other things to consider:
|
|
This change is |
There was a problem hiding this comment.
Reviewed 10 of 10 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @andy-kimball, @bdarnell, @blathers-crl[bot], @chrisseto, and @knz)
pkg/acceptance/cluster/certs.go, line 42 at r1 (raw file):
maybePanic(security.CreateClientPair( certsDir, filepath.Join(certsDir, security.EmbeddedCAKey), 2048, 48*time.Hour, false, security.RootUserName(), true /* generate pk8 key */))
This looks like an unintentional side effect but one I'm not worried about.
pkg/acceptance/compose/gss/psql/start.sh, line 16 at r1 (raw file):
echo "Preparing SQL user ahead of test" env \ PGSSLKEY=/certs/client.root.key \
Not certain this is desired... I'll dig into this more.
pkg/acceptance/compose/gss/python/start.sh, line 14 at r1 (raw file):
echo psql | kinit tester@MY.EX export PGSSLKEY=/certs/client.root.key
Not certain this is desired either
|
The test failure in Github CI (Cockroach) was for the package |
There was a problem hiding this comment.
This looks good to me, I don't have any concerns about the code that's being changed by the backport.
Reviewable status:
pkg/acceptance/compose/gss/psql/start.sh, line 16 at r1 (raw file):
Previously, catj-cockroach (Cat J) wrote…
Not certain this is desired... I'll dig into this more.
Oh I missed that this was for creating a user for testing with, ignore this comment and the following comment regarding PGSSLKEY
There was a problem hiding this comment.
Reviewable status:
pkg/acceptance/cluster/certs.go, line 42 at r1 (raw file):
Previously, catj-cockroach (Cat J) wrote…
This looks like an unintentional side effect but one I'm not worried about.
It's absolutely necessary. The Docker image we use as base for the TestComposeGSS uses a version of debian which has a OpenSSL constraint on minimum key size. At key size 1024, the test fails with error message "ee key too small" when the key is loaded from disk.
Backport 1/1 commits from #71134 on behalf of @knz.
/cc @cockroachdb/release
Fixes #71102.
Release note (security update): It is not possible any more to use a
node TLS certificate to establish a SQL connection with another
username than
node. This facility had existed as an "escape hatch"so that an operator could use the node cert to perform operations on
behalf of another SQL user. However, this facility is not necessary:
an operator with access to a node cert can log in as
nodedirectlyand create new credentials for another user anyway. By removing
this facility, we tighten the guarantee that the principal in the TLS
client cert always matches the SQL identity.
Release justification: prevents a significant security risk in CC serverless