Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement RPC authentication #1893

Open
stasatdaglabs opened this issue Dec 19, 2021 · 3 comments
Open

Implement RPC authentication #1893

stasatdaglabs opened this issue Dec 19, 2021 · 3 comments
Labels
cli good first issue Good for newcomers kaspactl RPC security

Comments

@stasatdaglabs
Copy link
Collaborator

Currently, many nodes have RPC ports potentially open to the world
Some manner of authentication should be implemented to mitigate it

Suggested solution: gRPC supports authentication out-of-the-box: https://grpc.io/docs/guides/auth/
@cdnsteve cdnsteve mentioned this issue Apr 26, 2022
Open
@cdnsteve
Copy link

cdnsteve commented Apr 26, 2022
edited
Loading

It seems like TLS might be preferred however we'll need to deal with certificate generation. Does this already exist or is documented anywhere? Otherwise we'll need to provide details around certificate gen and location so it can be passed in config.

It looks like the genkeypair is for wallets and not related to TLS.

@someone235
Copy link
Collaborator

It seems like TLS might be preferred however we'll need to deal with certificate generation. Does this already exist or is documented anywhere? Otherwise we'll need to provide details around certificate gen and location so it can be passed in config.

It looks like the genkeypair is for wallets and not related to TLS.

Yeah right, genkeypair is not related to TLS.
I think what we want is to allow some kind of authorized use of the RPC, but then leave an option to the user to decide to allow some restricted list of RPC calls to anonymous users (without auth).

@cdnsteve
Copy link

cdnsteve commented Jun 16, 2022
edited
Loading

Items discussed in dev chat:

  • There are two different types of gRPC
  1. P2p: is a gRCP server for internodes communication
  2. rpcServer: is for gRCP miner, wallet and certain kaspactl utility communication and is for outside querying of the node's state.

rpcServer is the right place to implement this feature, given we want to offer protection from external gRPC connections and can secure with TLS.

The thinking is that if/when this feature gets enabled, it will likely cause issues with mining software, like BZminer, where Auth will need to be provided (needs to be tested).

The plan is to allow for TLS Auth as optional, not default. In doing so, this will avoid causing any issues with current configurations in miners. This feature would need to be configured to be enabled.

More to come and I'll update progress but this is currently underway in development.

Shoutout to the Kaspa devs in Discord for helping me navigate this and answering lots of questions 👍

@cdnsteve cdnsteve mentioned this issue Jun 17, 2022
Open
6 tasks
@D-Stacks D-Stacks mentioned this issue Apr 12, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cli good first issue Good for newcomers kaspactl RPC security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@someone235 @cdnsteve @stasatdaglabs