Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-19.1: server: properly authenticate some admin RPC req… #42727

Merged
merged 3 commits into from
Nov 25, 2019
Merged

release-19.1: server: properly authenticate some admin RPC req… #42727

merged 3 commits into from
Nov 25, 2019

Conversation

knz
Copy link
Contributor

@knz knz commented Nov 25, 2019

Backport 3/3 commits from #42726.

/cc @cockroachdb/release

Backport 3/3 commits from #42563.

/cc @cockroachdb/release

Fixes the vulnerability described in #42567.

The the individual commits for details.

@knz knz requested review from bdarnell and a team November 25, 2019 12:19
@cockroach-teamcity
Copy link
Member

This change is Reviewable

knz added 3 commits November 25, 2019 13:37
@knz
server: perform authorization for SQL ran by admin RPCs
5a41afa 
Prior to this patch, all the admin RPCs would perform
whatever SQL operations they needed to do using the root user.
See issue cockroachdb#42567.

Moreover, because of this the "UI data" payload containing all the UI
configuration settings was shared between all users.

This was possibly a security flaw, as it could enable any
authenticated user (eg via a certificate on the CLI, or via the web
UI) to access SQL data otherwise only available to root.

This patch fixes **part of** issue cockroachdb#42567 by
authorizing the SQL execution of admin RPC endpoints properly.

It also introduces a new SQL built-in function
`crdb_internal.is_admin()` used internally by the admin user.

**The following problem from cockroachdb#42567 is not fixed: RPCs that do not use
SQL are still allowed to proceed as root regardless of the
authenticated user.** This will be addressed by a subsequent commit.

Release note (admin ui change): Certain web UI pages (like the list of
databases, tables) now restrict their content to match the privileges
of the logged-in user.

Release note (admin ui change): The event log now presents all cluster
settings changes, unredacted, when an admin user uses the page.

Release note (admin ui change): Customization of the UI by
users is only properly saved if the user has write privilege
to `system.ui` (i.e. admin users). Also, all authenticated
users share the same customizations. This is a known limitation
and should be lifted in a future version.
@knz
serverpb: don't expose Drain() via HTTP
214fafd 
The Drain() (`cockroach quit`) RPC is used over gRPC by `cockroach
quit`. There is no requirement to have it exposed via HTTP, and
moreover it is a security problem (DoS) waiting to happen
since the request is not fully authorized.

Release note: none
@knz
server: authorize more requests
04b08aa 
Previously, admin/status RPCs available over HTTP but that did not
perform SQL operations would not verify authorization from
clients (the only authorization was that performed by SQL privilege
checks).

This patch fixes it.

The following services are now blocked from non-admin users:

- `TableStats`. This is a temporary limitation, until this RPC learns
  how to verify privileges on the specific table for which stats are
  requested.
- `NonTableStats`
- `DataDistribution`
- `EnqueueRange`
- `RangeLog`
- `Gossip`
- `EngineStats`
- `Allocator`
- `AllocatorRange`
- `Certificates`
- `Details`
- `GetFiles`
- `LogFilesList`
- `LogFile`
- `Logs`
- `Stacks`
- `Profile`
- `RaftDebug`
- `Ranges`
- `HotRanges`
- `Range`
- `SpanStats`
- `Stores`

For reference, the following services were already properly authorized
by SQL privilege checks:

- `Databases`
- `DatabaseDetails`
- `TableDetails`
- `Users`
- `Events`
- `Jobs`
- `Locations`
- `QueryPlan`

The following were already authorized using a custom check:

- `ListSessions` (user must be either admin or can only list their own
  sessions)
- `ListLocalSessions` (ditto)

The following are now authorized using a custom check:

- `CancelSession` (user must be either admin or operate on their own sessions)
- `CancelQuery` (user must be either admin or operate on their own queries)

The following RPCs are not authorized but do not leak sensitive
information:

- `Health`
- `Liveness`
- `Settings`

Release note (admin ui change): Access to table statistics are
temporary blocked from access by non-admin users until further notice,
for security reasons.

Release note (admin ui change): Certain debug pages have been blocked
from non-admin users for security reasons.
@knz knz force-pushed the backport19.1-42726 branch from d815049 to 04b08aa Compare November 25, 2019 12:37
@knz knz mentioned this pull request Nov 25, 2019
Closed
@knz
Copy link
Contributor Author

knz commented Nov 25, 2019

@rolandcrosby could you nominate someone to do QA on the UI after these security changes, to see what functionality becomes different for non-admin users? We'll need to document this as known limitations.

@knz knz changed the title release-19.1: server: properly authenticate some admin RPC requests release-19.1: server: properly authenticate some admin RPC req… Nov 25, 2019
@knz knz merged commit 9012e64 into cockroachdb:release-19.1 Nov 25, 2019
@knz knz deleted the backport19.1-42726 branch November 25, 2019 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdarnell bdarnell bdarnell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@knz @cockroach-teamcity @bdarnell