New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bootstrapping of password-protected clusters #5490
Comments
Pinging @coffeemug @VeXocide @larkost @mlucy @encryptio @Tryneus . |
This is already an issue with our current auth key by the way. |
I am in favor of Option 2 for a few reasons:
There are also other possibilities that seem a more natural extension of it (and less like a reversal to me):
|
The problem I have with the second option is that it a) Is more work to design and implement, so it would probably delay the 2.3 release. b) That it comes with the annoyance of adding extra steps to bootstrapping and extending a cluster. I further think that the first approach does not interfere with cluster IDs if we want to add them later. I said in the writeup above that the admin password couldn't be changed in proposal 2 except by swapping out the file, but that is not an integral part of a cluster-ID-based approach. Instead we can base a cluster-ID based design on proposal 1, and simply have the ID file replace the initial password if one is provided. |
I talked to a few people about this offline. We're going with option 1 and will look into cluster IDs later. |
Variant 1 is implemented and in code review 3562 |
In |
_Status quo_
admin
account that doesn't have a password. If you don't need password protection, you can just start your cluster and connect. Once you set a password, it will propagate via a semilattice structure to all nodes that later join the cluster._The problem_
The problem arises when you add a new node to a live cluster. In that scenario there is going to be a brief moment where the node starts listening to client connections, but doesn't have the admin password yet. If an attacker gets lucky and connects to the new node at the right time, they could exploit this race condition to run arbitrary queries as admin.
We can delay accepting queries until we have synced the admin password with at least one other node. However this doesn't fully solve the issue. If you start up two new nodes at the same time, they might connect to each other and would still start serving queries without a password.
_Proposal 1_
--initial-pw
that takes one out of two values:auto
generates a random initial password<pw>
sets the specified initial passwordauto
is used.--initial-pw
is not given, the password-less admin account will be created just like now.server that has an admin password.
-<current time>
(that is minus current timestamp). That way the oldest initial password always wins when joining other nodes, but any manually configured password wins over any initial password.TODO: Think about also printing an auto-generated initial password to the log file. We might also want to print newer initial passwords if we receive them after connecting to a different node.
Typical scenarios with this proposal:
Scenario 1: Setting up a cluster without password protection
1. Start and join all nodes without a password (just like now)
Scenario 2: Setting up a new cluster in a trustworthy environment with password protection
1. Start and join all nodes without a password
2. Configure the admin password through the
users
tableScenario 3: Setting up a new cluster in an untrustworthy environment
1. Reconsider if you actually want to do this. You should probably use TLS instead.
2. Configure servers with an explicit
--initial-pw
3. Start and join all nodes
4. Change the admin password through the
users
tableScenario 4: Joining a new server into an existing password-protected cluster
1. Start and join the new server with the
--initial-pw auto
option(if you forget to specify that option, we'll print a helpful error message both
in the log of the new server, and in the log(s) of the existing server(s))
_Proposal 2 including cluster IDs_
This proposal is the result of a discussion with @larkost and @VeXocide. It also solves #1905 by introducing a cluster ID.
rethinkdb createpw
or something like that, though it should also work as a standalone script).Typical scenarios with this proposal:
Scenario 1: Setting up a cluster without password protection
1. Start and join all nodes without an ID+password file (just like now)
Scenario 2: Setting up a new cluster in a trustworthy environment with password protection
1. Create the ID+password file
2. Distribute the file to all nodes
3. Start and join all nodes
Scenario 3: Setting up a new cluster in an untrustworthy environment
1. Reconsider if you actually want to do this. You should probably use TLS instead.
2. Create the ID+password file
2. Distribute the file to all nodes
3. Start and join all nodes
Scenario 4: Joining a new server into an existing password-protected cluster
1. Copy the ID+password file onto the new node
2. Start and join the new node
The text was updated successfully, but these errors were encountered: