Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit system user login #579

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Limit system user login #579

wants to merge 4 commits into from

Conversation

WalBeh
Copy link
Contributor

@WalBeh WalBeh commented Jan 26, 2024

Summary of changes

Limit system user login to 10.0.0.0/8.

I assumed that the configuration snippet from below limits the system to login from 10.0.0.0/8 only. But it seems like the 99.method=password spoils my plan!

 82     - -Cauth.host_based.enabled=true
 83     - -Cauth.host_based.config.0.user=crate
 84     - -Cauth.host_based.config.0.address=_local_
 85     - -Cauth.host_based.config.0.method=trust
 86     - -Cauth.host_based.config.1.user=system
 87     - -Cauth.host_based.config.1.address=10.0.0.0/8
 88     - -Cauth.host_based.config.1.method=password
 89     - -Cauth.host_based.config.99.method=password

In can see the real IP of the connection (=external IP) system can still login, due to the setting in line 89 where password login from everywhere is allowed.

Checklist

  • Relevant changes are reflected in CHANGES.rst
  • Added or changed code is covered by tests
  • Documentation has been updated if necessary
  • Changed code does not contain any breaking changes (or this is a major version change)

@@ -420,6 +420,8 @@ def get_statefulset_crate_command(
"-Cauth.host_based.config.0.user": "crate",
"-Cauth.host_based.config.0.address": "_local_",
"-Cauth.host_based.config.0.method": "trust",
"-Cauth.host_based.config.1.user": "system",
"-Cauth.host_based.config.1.address": "10.0.0.0/8",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably make this configurable, since no guarantee that all k8s is using class A subnets? Also people might want to restrict it further, if they use a different subnet mask in their k8s.

Copy link
Contributor Author

@WalBeh WalBeh Jan 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably make this configurable, since no guarantee that all k8s is using class A subnets? Also people might want to restrict it further, if they use a different subnet mask in their k8s.

configurable as in CRD?

spec.cluster.allowedSystemUserCIDR?

@WalBeh WalBeh requested a review from SStorm January 26, 2024 10:11
@@ -173,6 +173,9 @@ spec:
items:
type: string
type: array
allowedSystemUserCIDR:
Copy link
Contributor

@SStorm SStorm Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need this, if the setting is coming from the environment (config.ALLOWED_SYSTEM_USER_CIDR) - we don't need to be able to override it for individual CrateDBs?

@SStorm SStorm marked this pull request as draft February 2, 2024 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants