Make BootstrapCluster call validate with certificates #25023
Description
Problem:
With mandatory authorization enabled (enforce_user_token_requirement: true), it is impossible to perform the initial cluster bootstrap. The admin cluster bootstrap command, when using mTLS certificates (the only available method for a "clean" cluster), hangs indefinitely and never completes.
Context:
For the initial cluster bootstrap, client certificate authentication (using --client-cert-file and --client-cert-key-file flags) is the intended method. This is because SchemeShard is not yet running, which makes standard token-based authentication impossible. These sections in config.yaml are responsible for Bootstrap mTLS authentification:
security_config:
enforce_user_token_requirement: true
bootstrap_allowed_sids:
- "clusteradmins@cert"
client_certificate_authorization:
request_client_certificate: true
client_certificate_definitions:
- member_groups: ["clusteradmins@cert"]
subject_terms:
- short_name: "O"
values: ["YDB"]Root Cause:
The issue is a chicken-and-egg deadlock:
A BootstrapCluster request arrives at TGRpcRequestProxyImpl
Since the authentication state is AS_NOT_PERFORMED, the proxy's standard logic defers the request while it attempts to fetch database information (
/Root) from SchemeBoard. This step is necessary for subsequent access control checks.
However, SchemeBoard cannot start until the cluster has been successfully initialized by the BootstrapCluster RPC.
As a result, GRpcProxy waits for a response from SchemeBoard that will never arrive. The request hangs and never reaches its handler, which is responsible for performing the actual certificate-based authentication.
Proposed Solution
It is proposed to make a workaround, special for this request, which performs actions similar to TGrpcRequestCheckActor (https://github.com/ydb-platform/ydb/blob/main/ydb/core/grpc_services/grpc_request_check_actor.h) - namely, going to TicketParser with certificates to obtain a token.