You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The weave overlay network between the host nodes in a grid uses a shared secret for encryption. The agent currently uses the node info grid token as the weave secret. The same grid token is also used for the agent websocket RPC authentication as provisioned via the host node cloud-config, and thus cannot be changed (#1973). The agent does not currently support re-configuring weave with a different shared secret.
The master should provide a separate per-grid weave secret via the grid/node info, with support for some form of key rollover to deal with host node / grid token compromises. Without any weave-level support for graceful key rollover, this would mean that each agent would restart weave to reconfigure it with the new shared secret. While this would lead to a temporary disruption of overlay network traffic, it would work as an emergency measure for dealing with compromised grid tokens.
With a separate weave token, the actual grid token used for websocket RPC authentication could also be left out of the node info RPCs, minimizing the #1973 security headaches.
The text was updated successfully, but these errors were encountered:
SpComb
changed the title
Support for a separate weave shared secret with rollover
Support for a separate weave shared secret with rollover support via weave reconfiguration
Jun 20, 2017
The weave overlay network between the host nodes in a grid uses a shared secret for encryption. The agent currently uses the node info grid token as the weave secret. The same grid token is also used for the agent websocket RPC authentication as provisioned via the host node cloud-config, and thus cannot be changed (#1973). The agent does not currently support re-configuring weave with a different shared secret.
The master should provide a separate per-grid weave secret via the grid/node info, with support for some form of key rollover to deal with host node / grid token compromises. Without any weave-level support for graceful key rollover, this would mean that each agent would restart weave to reconfigure it with the new shared secret. While this would lead to a temporary disruption of overlay network traffic, it would work as an emergency measure for dealing with compromised grid tokens.
With a separate weave token, the actual grid token used for websocket RPC authentication could also be left out of the node info RPCs, minimizing the #1973 security headaches.
The text was updated successfully, but these errors were encountered: