New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unauthorized user can drop system_auth from node without authorization #2346
Comments
Does this reproduce in cassandra - I think it will.
AFAIT there is no code that checks that allthe nodes have authorization
setup in the same way (or else there will not be a way to turn on/off
authorization on a running cluster via change the config and a rolling
restarts).
…On Wed, May 3, 2017 at 11:58 AM, Andrei ***@***.***> wrote:
*Installation details*
Scylla version (or git commit hash): 666.development-0.20170427.14b9aa2
OS (RHEL/CentOS/Ubuntu/AWS AMI): Ubuntu16.04
steps
1. 2 nodes joined in the cluster. first node(127.0.0.1) is with
authorization parameters in config:
authenticator: org.apache.cassandra.auth.PasswordAuthenticator
authorizer: org.apache.cassandra.auth.CassandraAuthorizer
the second one(127.0.0.2) without
2) cqlsh connection looks as expected:
$ cqlsh 127.0.0.1
Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Remote end requires authentication.',)})
$ cqlsh 127.0.0.1 -u cassandra -p cassandra
Connected to test at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 2.2.8 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
***@***.***>
[14]+ Stopped
$ cqlsh 127.0.0.2
Connected to test at 127.0.0.2:9042.
[cqlsh 5.0.1 | Cassandra 2.2.8 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
1. with cqlsh connection to host without authorizer we are
unauthorized to see users but able to drop system_auth
$ cqlsh 127.0.0.2
Connected to test at 127.0.0.2:9042.
[cqlsh 5.0.1 | Cassandra 2.2.8 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
cqlsh> LIST USERS ;
Unauthorized: Error from server: code=2100 [Unauthorized] message="You have to be logged in and not anonymous to perform this request"
cqlsh> DESCRIBE ;
Improper DESCRIBE command.
cqlsh> DESCRIBE KEYSPACEs;
system_traces system_auth system
cqlsh> drop keyspace system_auth;
OperationTimedOut: errors={'127.0.0.2': 'Client request timeout. See Session.execute[_async](timeout)'}, last_host=127.0.0.2
cqlsh> DESCRIBE KEYSPACEs;
system_traces system
cqlsh>
In short, an unauthorized user from _authorizer node can break
authorization for entire cluster
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2346>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADThCObEWbbdetNyhWA7nTgHpCHfHq-Uks5r2EGagaJpZM4NPHo->
.
|
@abvgedeika can you please provide the additional information |
hi @slivne here are steps with the same scenarios in C*( 127.0.0.1 - with authorizer, 127.0.0.2 - without)
|
@slivne @abvgedeika There is more - in C* one can't ALTER any I suggest we don't follow the C* pattern exactly but rather allow the ALTER command on tables. This means that we should only forbid the DROP command on both |
@slivne @avi @abvgedeika In general this issue describes quite a serious security hole - this means that a malicious user may add a Node to the cluster (without authentication enabled) and bypass the authentication in the cluster. Is that right? If yes, then all authentication in scylla is a fake! Something is really fishy here... |
I thought about it a little more - maybe it's not a fake but in order to ensure any protection the cluster has to be strongly protected against such unauthorized Nodes, e.g. by keeping all Nodes in a secure VPN. @slivne, @tzach We have to make sure that this use case is very well described somewhere in our authentication documentation. |
Why should we allow ALTER? |
A little more information. we are not able to CREATE/DROP/ALTER table from non-authorized node. we only can 'drop keyspace system_auth;'
After adding non-authorized node and waiting a little, we can't connect to authorized node at all:
|
On 05/10/2017 02:31 AM, Tzach Livyatan wrote:
I suggest we don't follow the C* pattern exactly but rather allow
the ALTER command on tables. This means that we should only forbid
the DROP command on both system_auth and system_traces keyspaces
and all their tables.
Why should we allow ALTER?
If the code assumes a system table schema, an ALTER will kill the code.
This ticket is not about system tables it's about system_auth (and
system_traces).
Why? - Because:
1) The first thing the admin has to to is to change the replication strategy and its parameters for system_auth.
2) The upgrade procedure assumes the tables in question are alterable.
… —
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2346 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AF0jrYZMbXpWrzxrTerw5yc40GjUPSY1ks5r4VnFgaJpZM4NPHo->.
|
On 05/10/2017 04:23 AM, Andrei wrote:
A little more information.
we are not able to CREATE/DROP/ALTER table from non-authorized node.
we only can 'drop keyspace system_auth;'
|$ cqlsh 127.0.0.2 Connected to test at 127.0.0.2:9042. [cqlsh 5.0.1 |
Cassandra 2.2.8 | CQL spec 3.3.1 | Native protocol v4] Use HELP for
help. cqlsh> LIST USERS ; Unauthorized: Error from server: code=2100
[Unauthorized] message="You have to be logged in and not anonymous to
perform this request" cqlsh> CREATE USER Test WITH PASSWORD '12345';
InvalidRequest: Error from server: code=2200 [Invalid query]
message="org.apache.cassandra.auth.AllowAllAuthenticator doesn't
support PASSWORD option" cqlsh> ALTER USER Test WITH PASSWORD '54321';
Unauthorized: Error from server: code=2100 [Unauthorized] message="You
aren't allowed to alter this user"|
Try using the ALTER TABLE command:
fred@cqlsh> alter table system_auth.users drop super ;
fred@cqlsh> alter table system_auth.users add super boolean;
fred@cqlsh>
… |cqlsh> DROP USER Test; Unauthorized: Error from server: code=2100
[Unauthorized] message="You have to be logged in and not anonymous to
perform this request" |
After adding non-authorized node and waiting a little, we can't
connect to authorized node at all:
|$ cqlsh 127.0.0.1 -u cassandra -p cassandra Connection error: ('Unable
to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed
to authenticate to 127.0.0.1: Error from server: code=0100 [Bad
credentials] message="authentication failed"',)}) $ cqlsh 127.0.0.1
Connection error: ('Unable to connect to any servers', {'127.0.0.1':
AuthenticationFailed('Remote end requires authentication.',)}) |
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2346 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AF0jrUVJaNA_F4FbugGb79Py4fKBqTNsks5r4XQfgaJpZM4NPHo->.
|
@vladzcloudius
|
On 05/10/2017 02:23 PM, Andrei wrote:
@vladzcloudius <https://github.com/vladzcloudius>
yes, ALTER TABLE allows to change system_auth.users
Exactly, and as you may imagine, this is just as dangerous as the
original problem problem.
However this is inevitable if we want to support live upgrades and
extensions of the system_auth and system_traces tables.
If we want to be hermetic safe here we have to freeze schemas of these
tables and forbid any changes to them like C* do. However this would
have a few unpleasant effects:
1. Any change in the schema of the tables above will have to be done in
a form of creating a new table with the new set of columns
complicating everything: upgrade, managing tools, etc.
2. In case of any problem with these tables the Admin will have no
tools to handle it except for a complete wipe.
IMO the ALTER option should be allowed and the Admin should be wise
enough to ensure the proper security configuration in order to prevent
an unauthorized access to these tables (e.g. like in this ticket).
… |$ cqlsh 127.0.0.1 Connection error: ('Unable to connect to any
servers', {'127.0.0.1': AuthenticationFailed('Remote end requires
authentication.',)}) $ cqlsh 127.0.0.2 Connected to test at
127.0.0.2:9042. [cqlsh 5.0.1 | Cassandra 2.2.8 | CQL spec 3.3.1 |
Native protocol v4] Use HELP for help. cqlsh> alter table
system_auth.users drop super ; cqlsh> alter table system_auth.users
add super boolean; |
|INFO 2017-05-10 21:20:21,210 [shard 0] schema_tables - Altering
system_auth.users id=473588ad-9c79-38be-8b59-e06c10456ba0
version=df3c2cfc-7000-309b-8a85-137d593b08ff INFO 2017-05-10
21:20:21,211 [shard 0] database - Setting compaction strategy of
system_auth.users to SizeTieredCompactionStrategy INFO 2017-05-10
21:20:21,245 [shard 0] query_processor - Column definitions for
system_auth.users changed, invalidating related prepared statements
INFO 2017-05-10 21:20:21,248 [shard 0] database - Schema version
changed to d10c292e-068a-3921-8119-5e9337eb0a53 INFO 2017-05-10
21:20:31,038 [shard 0] compaction - Compacting
[/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columns-296e9c049bec3085827dc17d3df2122a/system-schema_columns-ka-15-Data.db:level=0,
/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columns-296e9c049bec3085827dc17d3df2122a/system-schema_columns-ka-16-Data.db:level=0,
/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columns-296e9c049bec3085827dc17d3df2122a/system-schema_columns-ka-14-Data.db:level=0,
/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columns-296e9c049bec3085827dc17d3df2122a/system-schema_columns-ka-13-Data.db:level=0,
] INFO 2017-05-10 21:20:32,339 [shard 0] compaction - Compacting
[/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columnfamilies-45f5b36024bc3f83a3631034ea4fa697/system-schema_columnfamilies-ka-16-Data.db:level=0,
/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columnfamilies-45f5b36024bc3f83a3631034ea4fa697/system-schema_columnfamilies-ka-15-Data.db:level=0,
/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columnfamilies-45f5b36024bc3f83a3631034ea4fa697/system-schema_columnfamilies-ka-14-Data.db:level=0,
/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columnfamilies-45f5b36024bc3f83a3631034ea4fa697/system-schema_columnfamilies-ka-13-Data.db:level=0,
] INFO 2017-05-10 21:20:32,903 [shard 0] compaction - Compacted 4
sstables to
[/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columns-296e9c049bec3085827dc17d3df2122a/system-schema_columns-ka-17-Data.db:level=0,
]. 45632 bytes to 44922 (~98% of original) in 1865ms = 0.02MB/s. ~1024
total partitions merged to 3. INFO 2017-05-10 21:20:33,571 [shard 0]
compaction - Compacted 4 sstables to
[/home/andrei/.dtest/dtest-bteDt5/test/node1/data/system/schema_columnfamilies-45f5b36024bc3f83a3631034ea4fa697/system-schema_columnfamilies-ka-17-Data.db:level=0,
]. 51333 bytes to 46779 (~91% of original) in 1231ms = 0.04MB/s. ~1024
total partitions merged to 3. INFO 2017-05-10 21:20:33,572 [shard 0]
schema_tables - Altering system_auth.users
id=473588ad-9c79-38be-8b59-e06c10456ba0
version=0a7f2ca9-9a35-33dd-ae3c-95bc51a669f1 INFO 2017-05-10
21:20:33,573 [shard 0] database - Setting compaction strategy of
system_auth.users to SizeTieredCompactionStrategy INFO 2017-05-10
21:20:33,573 [shard 0] query_processor - Column definitions for
system_auth.users changed, invalidating related prepared statements
INFO 2017-05-10 21:20:33,575 [shard 0] database - Schema version
changed to fcb59483-d9fc-3b2d-9131-76cc7ef14609 |
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2346 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AF0jrUwlqzjgFQFdiHIpV3Y5qTORZ3tIks5r4gC9gaJpZM4NPHo->.
|
Installation details
Scylla version (or git commit hash): 666.development-0.20170427.14b9aa2
OS (RHEL/CentOS/Ubuntu/AWS AMI): Ubuntu16.04
steps
authenticator: org.apache.cassandra.auth.PasswordAuthenticator
authorizer: org.apache.cassandra.auth.CassandraAuthorizer
the second one(127.0.0.2) without
2) cqlsh connection looks as expected:
server's log:
In short, an unauthorized user from _authorizer node can break authorization for entire cluster
The text was updated successfully, but these errors were encountered: