-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.8.x] rpc: authorize raft requests #10933
Conversation
By checking the names in the verified certificate chain
In preparation for fixing Raft RPC authorization this change is made to the tlsutil.Configurator to store a CertPool which will omit the Connect CA certificate. This commit also removes the need to append slices of PEMs together. The append function can modify the backing array of the first slice passed to append, and that can often lead to difficult to understand bugs. It's not clear to me if the use of append here would actually cause such bugs, but it was easier to remove the use of append than to prove the bug existed. Removing the use of append should also prevent any such bugs from happening in the future.
Connect CA certs could potentially contain DNSNames that match Consul servers. So to prevent those certificates from being used to gain unauthorized access we verify that the connection performing the raft RPC has a certificate signed by the agent TLS CA. Also add tests cases for ConnectCA leaf cert, which fail without this change.
This test started to fail because the CertFile used is no longer allowed to perform Raft RPC (it must not have a valid DNSName). From my reading of this test, it is intended to limit client connections, so we can probably test with a different byte that would be used by clients. There's no special handling for the RPCRaft byte, so I believe the test is still valid after this change.
The requester is a "Server" in Consul's architecture, but is a Client from the perspective of this RPC request. Co-authored-by: Paul Banks <banks@banksco.de>
This pull request is being automatically deployed with Vercel (learn more). consul – ./website🔍 Inspect: https://vercel.com/hashicorp/consul/Hr15WZmF9FWHJQ9miC4TAhNZbiCS [Deployment for 8f8bede failed] consul-ui-staging – ./ui🔍 Inspect: https://vercel.com/hashicorp/consul-ui-staging/CsLUyXt64wibgojHya7fhET7JYW9 [Deployment for 8f8bede failed] |
Co-authored-by: Kent 'picat' Gruber <kent@hashicorp.com>
…icorp/consul into dnephin/backport-1.8-raft-authz-fix
Backport of #10925