Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server: support check the "CommanName" of tls-cert for status-port(http/grpc) #15137

Merged
merged 6 commits into from
Mar 5, 2020
Merged

server: support check the "CommanName" of tls-cert for status-port(http/grpc) #15137

merged 6 commits into from
Mar 5, 2020

Conversation

lysu
Copy link
Contributor

@lysu lysu commented Mar 4, 2020
edited
Loading

What problem does this PR solve?

add CN check for TiDB's http/grpc API

What is changed and how it works?

  • add configuration
  • config check hook in http/grpc server
  • add test

Check List

Tests

  • Unit test
  • Manual test (add detailed scripts or steps below)
remove https://github.com/pingcap/tidb/compare/master...lysu:check_CN_between_tidbs?expand=1#diff-209d74aa1a4826e6cf6e0b29455087c7R221
and install self-signed CA to operation-system

Code changes

  • n/a

Side effects

  • n/a

Related changes

  • Need to cherry-pick to the release 3.0

Release note

  • Write release note for bug-fix or new feature.

This change is Reviewable

@lysu lysu added needs-cherry-pick-3.0 security Everything related with security labels Mar 4, 2020
@lysu lysu requested review from imtbkcat and jackysp March 4, 2020 14:05
@codecov
Copy link

codecov bot commented Mar 4, 2020
edited
Loading

Codecov Report

Merging #15137 into master will not change coverage by %.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             master     #15137   +/-   ##
===========================================
  Coverage   80.2595%   80.2595%           
===========================================
  Files           503        503           
  Lines        132388     132388           
===========================================
  Hits         106254     106254           
  Misses        17737      17737           
  Partials       8397       8397

gregwebs
gregwebs reviewed Mar 5, 2020
View reviewed changes
server/http_status.go Outdated Show resolved Hide resolved
server/http_status.go Outdated Show resolved Hide resolved
config/config.go Outdated Show resolved Hide resolved
@lysu lysu requested a review from gregwebs March 5, 2020 06:16
gregwebs
gregwebs reviewed Mar 5, 2020
View reviewed changes
server/http_status.go Outdated
@@ -310,6 +312,32 @@ func (s *Server) setupStatusServerAndRPCServer(addr string, serverMux *http.Serv
}
}

func (s *Server) setCNChecker(tlsConfig *tls.Config) *tls.Config {
if tlsConfig != nil && len(s.cfg.Security.ClusterVerifyCN) > 0 {
cns := strings.Split(s.cfg.Security.ClusterVerifyCN, ",")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great if we could parse these configurations ahead of time. This value is essentially an array of strings. Another method of configuration (API Call or testing interface) would like to actually give an array. Actually, TOML supports arrays as well, so it seems like only the CLI would need to give an unparsed string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it's better using arrays, we don't need cli or sysvar, changed

gregwebs
gregwebs previously approved these changes Mar 5, 2020
View reviewed changes
jackysp
jackysp reviewed Mar 5, 2020
View reviewed changes
server/tidb_test.go
func (ts *tidbTestSuite) TestStatusAPIWithTLSCNCheck(c *C) {
c.Skip("need add ca-tidb-test-1.crt to OS")
root := filepath.Join(os.Getenv("GOPATH"), "/src/github.com/pingcap/tidb")
ca := filepath.Join(root, "/tests/cncheckcert/ca-tidb-test-1.crt")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test really could not pass on windows :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this case also need install ca to operation system for linuxer, so c.Skip at this time 😞

jackysp
jackysp approved these changes Mar 5, 2020
View reviewed changes
Copy link
Member

@jackysp jackysp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jackysp
Copy link
Member

jackysp commented Mar 5, 2020

/merge

@sre-bot sre-bot added the status/can-merge Indicates a PR has been approved by a committer. label Mar 5, 2020
@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

/run-all-tests

@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

@lysu merge failed.

@lysu
Copy link
Contributor Author

lysu commented Mar 5, 2020

/rebuild

@lysu lysu merged commit 92f6f4e into pingcap:master Mar 5, 2020
@lysu lysu deleted the check_CN_between_tidbs branch March 5, 2020 15:52
@sre-bot sre-bot mentioned this pull request Mar 5, 2020
Merged
@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

cherry pick to release-3.0 in PR #15164

sre-bot pushed a commit to sre-bot/tidb that referenced this pull request Mar 5, 2020
@lysu @sre-bot
cherry pick pingcap#15137 to release-3.1
8ec3c75 
Signed-off-by: sre-bot <[email protected]>
@sre-bot sre-bot mentioned this pull request Mar 5, 2020
Closed
@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

cherry pick to release-3.1 in PR #15165

lysu added a commit to sre-bot/tidb that referenced this pull request Mar 5, 2020
@lysu
server: support check the "CommanName" of tls-cert for status-port(ht…
fa8f260 
…tp/grpc) (pingcap#15137)
@gregwebs gregwebs mentioned this pull request Mar 5, 2020
Closed
sre-bot added a commit that referenced this pull request Mar 6, 2020
@sre-bot
server: support check the "CommanName" of tls-cert for status-port(ht…
11ec003 
…tp/grpc) (#15137) (#15164)
This was referenced Mar 9, 2020
Closed
Closed
Closed
@lysu lysu mentioned this pull request Mar 16, 2020
Open
@lysu lysu added this to the v3.1.0-rc milestone Mar 18, 2020
@weekface weekface mentioned this pull request Mar 19, 2020
Closed
52 tasks
@lance6716 lance6716 mentioned this pull request Jul 18, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackysp jackysp jackysp approved these changes

@gregwebs gregwebs gregwebs left review comments

@imtbkcat imtbkcat Awaiting requested review from imtbkcat

Assignees
No one assigned
Labels
security Everything related with security status/can-merge Indicates a PR has been approved by a committer.
Projects
None yet
Milestone
v3.1.0-rc
Development

Successfully merging this pull request may close these issues.
4 participants
@lysu @jackysp @sre-bot @gregwebs