Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication? HTTPS? #23

Closed
isbm opened this issue Mar 23, 2020 · 5 comments
Closed

Authentication? HTTPS? #23

isbm opened this issue Mar 23, 2020 · 5 comments

Comments

@isbm
Copy link

isbm commented Mar 23, 2020

Hi!
Is there any way to secure the cluster? Because running it all plain open is a complete dealbreaker...
@mosuka
Copy link
Owner

mosuka commented Mar 24, 2020

Hi @isbm ,
Unfortunately, authentication does not support yet.
However, I'm working on supporting TLS now.
#25

@isbm
Copy link
Author

isbm commented Mar 24, 2020

Well, security first, before anything else. Actually it would be a big push up for this project if you add TLS and authentication, at least password-based. Because having a cluster of whatever store that everyone can write random garbage in it so easily — is of absolutely no use. Currently I am looking for something like TiKV, but tinier, simpler and in Go. Cete is exactly what it could be... I could potentially contribute that, but TLS and auth is quite simple to add, and yet you know your code very good already, while I don't have enough bandwidth to do this.

お願いします m(._.)m

@mosuka
Copy link
Owner

mosuka commented Mar 26, 2020

Hi @isbm ,
Sorry for the late reply and thank you for your comment. :)
You said "at least password-based", but does that mean Basic Auth?
https://tools.ietf.org/html/rfc2617

@isbm
Copy link
Author

isbm commented Mar 26, 2020
edited

Osuka-san, yeah, it can be Basic Auth. For all the endpoints, like gRPC (examples), HTTPS etc. Just don't do that Google-based auth, because what if your Cete cluster is offline in some datacenter... 😉

Essentially would be cool if you could move all the CLI options also to some YAML-like config and so we could just run it as so:

cete -c /etc/cete.conf`

Done! And so then you have inside something like:

auth:
  token: some_very_secret_token_to_connect_to_everything

general:
  mode: master
  grpc: :8888
  https: :8080
  ssl: true

...and so on.

So as a start, we could just share that very secrect token across the cluster (e.g in HTTPS you can carry it on in header) in configs and that's it for starter. Then later on we could add RSA-based auth.

Since you are basically resembling TiKV (which makes your effort very cool!), then why not just steal the authentication ideas from them? :-) Essentially, for my project I need something like TiKV, but it is written in Rust and is a pig-size binary (about 0.5GB !!!). So Cete could do the job perfectly and I think do it very well.

@mosuka
Copy link
Owner

mosuka commented Apr 1, 2020

Hi @isbm ,
I released v0.3.1.
https://github.com/mosuka/cete/releases/tag/v0.3.1

I have implemented a simple TLS Authentication.
https://github.com/mosuka/cete#secure-cluster-example

Also, the CLI has been changed to support YAML configuration files.
https://github.com/mosuka/cete/blob/master/etc/cete.yaml

This is the first time I've implemented TLS support, so I'm not sure it meets your needs. Would you try it out?

@mosuka mosuka closed this as completed Apr 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mosuka @isbm