Document the fallout from crdb PR #42563 #6321
Conversation
|
This change is |
knz
force-pushed
the
20200110-sec-update
branch
from
035f639
to
dd6bbd8
Compare
knz
force-pushed
the
20200110-sec-update
branch
from
dd6bbd8
to
ff99e5e
Compare
|
Updated as requested by @mattcrdb to mention the privileged UI screens. |
There was a problem hiding this comment.
Sorry for the delay, @knz. This LGTM with a nit, but I'd like another writer on the team to review for concision. I'll find someone.
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @jseldess and @knz)
releases/v19.1.6.md, line 42 at r1 (raw file):
### Security updates - In previous releases, CockroachDB was allowing non-authenticated
nit: CockroachDB was allowing > CockroachDB allowed
releases/v19.2.2.md, line 44 at r1 (raw file):
- In previous releases, CockroachDB was allowing non-authenticated
Same as above.
There was a problem hiding this comment.
Reviewable status:
releases/v19.1.6.md, line 50 at r1 (raw file):
endpoints. A possible fallout from this change is that users might have
The second paragraph of a bullet needs to be indented two more times. Otherwise, you get:
Same applies below.
There was a problem hiding this comment.
Reviewable status:
releases/v19.1.6.md, line 56 at r1 (raw file):
workarounds, is discussed [here](https://github.com/cockroachdb/cockroach/issues/43870).
Suggest this wording for conciseness (turning the second paragraph into a callout):
-
CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like
/_admin/v1/events, which operate using root user permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints.{{site.data.alerts.callout_danger}} Users who have built monitoring automation using these HTTP endpoints must modify their automation to work using an HTTP session token. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870). {{site.data.alerts.end}}
releases/v19.1.6.md, line 72 at r1 (raw file):
further instructions and workarounds, is discussed [here](https://github.com/cockroachdb/cockroach/issues/43870). The main envisioned solution is [to enable the `root` to access the web
Does/should this refer to "the affected Admin UI screens"? This seems to imply that no user besides root can access the Admin UI.
releases/v19.1.6.md, line 75 at r1 (raw file):
UI](https://github.com/cockroachdb/cockroach/issues/43847) in a future version of CockroachDB.
Similar to above:
�- Some Admin UI screens (e.g., Jobs) were previously displayed using root user permissions, regardless of the logged-in user's credentials. This enabled insufficiently privileged users to access privileged information. This security vulnerability has been patched by using the credentials of the logged-in user to display all Admin UI pages, with insufficient privileges resulting in empty UI screens.
{{site.data.alerts.callout_danger}}
Users without a valid enterprise license are now unable to access certain Admin UI screens unless they have an admin role, which must be granted using a valid license. A future CockroachDB version may enable the `root` to access the Admin UI. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870).
{{site.data.alerts.end}}
|
Do you mind taking this PR over and polish it as you see fit? |
|
cc @aaron-crl for your information |
|
Please also include a link to cockroachdb/cockroach#44033 for the blank pages in the UI. |
There was a problem hiding this comment.
Reviewed 4 of 4 files at r2.
Reviewable status:
There was a problem hiding this comment.
Reviewable status:
releases/v19.1.6.md, line 42 at r2 (raw file):
### Security updates - CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like `/_admin/v1/events`, which operate using root user permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints.
root user > root user
releases/v19.1.6.md, line 48 at r2 (raw file):
{{site.data.alerts.end}} - Some Admin UI screens (e.g., Jobs) were previously displayed using root user permissions, regardless of the logged-in user's credentials. This enabled insufficiently privileged users to access privileged information. This security vulnerability has been patched by using the credentials of the logged-in user to display all Admin UI pages, with insufficient privileges resulting in empty UI screens.
root user > root user
releases/v19.1.6.md, line 51 at r2 (raw file):
{{site.data.alerts.callout_info}} Users without a valid enterprise license are now unable to access certain Admin UI screens unless they have an admin role, which must be granted using a valid license. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870). A future CockroachDB version may [enable the `root` to access the Admin UI](https://github.com/cockroachdb/cockroach/issues/43847).
admin role > admin role
the root to access > the root user to access
releases/v19.1.6.md, line 87 at r2 (raw file):
| `/_status/stores/{node_id}` | Store details | Operational details | | Note: "special" endpoints are subject to the cluster setting
Maybe make this an info callout? Also make cluster setting a link:
[cluster setting](../v20.1/cluster-settings.html)
There was a problem hiding this comment.
looking at it again, there's a link and a sentence missing. I'm also synchronizing my comments here with Artem's doc :)
Reviewable status:
There was a problem hiding this comment.
Reviewable status:
releases/v19.1.6.md, line 42 at r2 (raw file):
### Security updates - CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like `/_admin/v1/events`, which operate using root user permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints.
to these endpoints and restricting access to admin users only.
releases/v19.1.6.md, line 45 at r2 (raw file):
{{site.data.alerts.callout_info}} Users who have built monitoring automation using these HTTP endpoints must modify their automation to work using an HTTP session token. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870).
using an HTTP session token for an admin user.
releases/v19.1.6.md, line 51 at r2 (raw file):
{{site.data.alerts.callout_info}} Users without a valid enterprise license are now unable to access certain Admin UI screens unless they have an admin role, which must be granted using a valid license. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870). A future CockroachDB version may [enable the `root` to access the Admin UI](https://github.com/cockroachdb/cockroach/issues/43847).
Please remove all references to "enabling root to have a password" in the release note. It's not yet sure that this will be the preferred solution, in fact it's more likely we're going to backport cockroachdb/cockroach#43872 instead (but we don't know for sure). The link to the issue is the most important.
releases/v19.1.6.md, line 51 at r2 (raw file):
{{site.data.alerts.callout_info}} Users without a valid enterprise license are now unable to access certain Admin UI screens unless they have an admin role, which must be granted using a valid license. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870). A future CockroachDB version may [enable the `root` to access the Admin UI](https://github.com/cockroachdb/cockroach/issues/43847).
The issue link must not be to issue 43870 for the second point; the relevant issue link is cockroachdb/cockroach#44033 (separate issue)
releases/v19.1.6.md, line 90 at r2 (raw file):
`server.remote_debugging.mode`. Unless the setting was customized, clients are only able to connect from the same machine as the node.
The list of UI pages affected by the second issue above includes but is not limited to:
- Job details
- Database details
- Table details
- Zone configurations
There was a problem hiding this comment.
Reviewed 1 of 4 files at r3.
Reviewable status:
releases/v19.1.6.md, line 51 at r3 (raw file):
This sentence currently implies that we've changed the product to remove the functionality for non-admin users. This is not the case. The current limitation is a bug and will be fixed. I recommend the following:
Access to these Admin UI pages is currently restricted to admin users only. We acknowledge this is a regression and intend to resolve this limitation as soon as possible in a patch revision. This situation is discussed further in (link to issue 44033).
There was a problem hiding this comment.
Another thing: the general sentiment that "a license is currently necessary to access these things" is applicable to both points, not just the second point. This is also a a known limitation which we intend to lift with another product upgrade.
To summarize there are two known limitations as a result of the change:
-
rootcannot use HTTP login and a license is needed to create an admin user other thanroot. This limitation affects both points above. The workaround is to use a temporary eval license to create the 2nd admin user. This workaround is discussed on both issues 43870 and 44033. We intend to provide a product feature to enable root access to the HTTP endpoints (UI and monitoring), for core users without a license. -
access to the Jobs page, database details etc is currently limited to admin users. This is not intended (these pages should be accessible to non-admin users as well). This is a bug that was there before and only became visible due to the sec fix. This situation is discussed in issue 44033 and we intend to patch it.
Reviewable status:
knz
force-pushed
the
20200110-sec-update
branch
from
3d76b43
to
c9b773e
Compare
knz
force-pushed
the
20200110-sec-update
branch
2 times, most recently
from
1b4ee9e
to
3da617b
Compare
|
I have propagated the new understanding to the text. PTAL |
knz
force-pushed
the
20200110-sec-update
branch
from
3da617b
to
eb96493
Compare
knz
force-pushed
the
20200110-sec-update
branch
from
eb96493
to
81af56e
Compare
There was a problem hiding this comment.
Reviewable status:
releases/v19.1.6.md, line 50 at r1 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
The second paragraph of a bullet needs to be indented two more times. Otherwise, you get:
Same applies below.
Done
releases/v19.1.6.md, line 56 at r1 (raw file):
Previously, taroface (Ryan Kuo) wrote…
Suggest this wording for conciseness (turning the second paragraph into a callout):
CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like
/_admin/v1/events, which operate using root user permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints.{{site.data.alerts.callout_danger}} Users who have built monitoring automation using these HTTP endpoints must modify their automation to work using an HTTP session token. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870). {{site.data.alerts.end}}
Done
releases/v19.1.6.md, line 72 at r1 (raw file):
Previously, taroface (Ryan Kuo) wrote…
Does/should this refer to "the affected Admin UI screens"? This seems to imply that no user besides
rootcan access the Admin UI.
Addressed above.
releases/v19.1.6.md, line 75 at r1 (raw file):
Previously, taroface (Ryan Kuo) wrote…
Similar to above:
�- Some Admin UI screens (e.g., Jobs) were previously displayed using root user permissions, regardless of the logged-in user's credentials. This enabled insufficiently privileged users to access privileged information. This security vulnerability has been patched by using the credentials of the logged-in user to display all Admin UI pages, with insufficient privileges resulting in empty UI screens.
{{site.data.alerts.callout_danger}} Users without a valid enterprise license are now unable to access certain Admin UI screens unless they have an admin role, which must be granted using a valid license. A future CockroachDB version may enable the `root` to access the Admin UI. Possible workarounds are discussed [here](https://github.com/cockroachdb/cockroach/issues/43870). {{site.data.alerts.end}}
Done
releases/v19.1.6.md, line 42 at r2 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
root user >
rootuser
Done.
releases/v19.1.6.md, line 48 at r2 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
root user >
rootuser
Done
releases/v19.1.6.md, line 51 at r2 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
admin role >
adminrolethe
rootto access > therootuser to access
Done
releases/v19.1.6.md, line 87 at r2 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
Maybe make this an info callout? Also make
cluster settinga link:
[cluster setting](../v20.1/cluster-settings.html)
Done
releases/v19.2.2.md, line 44 at r1 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
Same as above.
Done.
There was a problem hiding this comment.
Reviewable status:
releases/v19.1.6.md, line 87 at r2 (raw file):
Previously, knz (kena) wrote…
Done
Thanks, @knz. But now you should remove Note: as that language is added automatically by the callout style.
Also, the link should point to v19.1, not v20.1.
releases/v19.2.2.md, line 101 at r6 (raw file):
{{site.data.alerts.callout_info}} Note: "special" endpoints are subject to the [cluster setting](../v20.1/cluster-settings.html)
Remove Note: and the link should point to v19.2, not v20.1.
releases/v2.1.10.md, line 100 at r6 (raw file):
{{site.data.alerts.callout_info}} Note: "special" endpoints are subject to the [cluster setting](../v20.1/cluster-settings.html)
Remove Note: and the link should point to v2.1, not v20.1.
knz
force-pushed
the
20200110-sec-update
branch
from
81af56e
to
1e4ae7f
Compare
There was a problem hiding this comment.
Reviewable status:
releases/v19.1.6.md, line 87 at r2 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
Thanks, @knz. But now you should remove
Note:as that language is added automatically by the callout style.Also, the link should point to
v19.1, notv20.1.
Done.
releases/v19.2.2.md, line 101 at r6 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
Remove
Note:and the link should point tov19.2, notv20.1.
Done.
releases/v2.1.10.md, line 100 at r6 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
Remove
Note:and the link should point tov2.1, notv20.1.
Done.
|
@tim-o requests:
|
No description provided.