Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cli: don't scope TLS client certs to a specific tenant by default #97585

Merged
merged 1 commit into from
Feb 24, 2023
Merged

cli: don't scope TLS client certs to a specific tenant by default #97585

merged 1 commit into from
Feb 24, 2023

Conversation

knz
Copy link
Contributor

@knz knz commented Feb 23, 2023

Epic: CRDB-23559
Fixes: #97584

This commit changes the default for --tenant-scope from "only the system tenant" to "cert valid for all tenants".

Note that the scoping is generally useful for security, and it is used in CockroachCloud. However, CockroachCloud does not use our CLI code to generate certs and sets its cert tenant scopes on its own.

Given that our CLI code is provided for convenience and developer productivity, and we don't expect certs generated here to be used in multi-tenant deployments where tenants are adversarial to each other, defaulting to certs that are valid on every tenant is a good choice.

Release note: None

@knz knz requested a review from stevendanna February 23, 2023 19:24
@knz knz requested review from a team as code owners February 23, 2023 19:24
@knz knz requested review from herkolategan and renatolabs and removed request for a team February 23, 2023 19:24
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@knz knz added the A-multitenancy Related to multi-tenancy label Feb 23, 2023
@knz
cli: don't scope TLS client certs to a specific tenant by default
c50bd93 
This commit changes the default for `--tenant-scope` from "only the
system tenant" to "cert valid for all tenants".

Note that the scoping is generally useful for security, and it is used
in CockroachCloud. However, CockroachCloud does not use our CLI code
to generate certs and sets its cert tenant scopes on its own.

Given that our CLI code is provided for convenience and developer
productivity, and we don't expect certs generated here to be used in
multi-tenant deployments where tenants are adversarial to each other,
defaulting to certs that are valid on every tenant is a good choice.

Release note: None
@knz knz force-pushed the 20230223-tenant-scope branch from 0a62ea7 to c50bd93 Compare February 23, 2023 20:15
stevendanna
stevendanna approved these changes Feb 24, 2023
View reviewed changes
Copy link
Collaborator

@stevendanna stevendanna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM. I agree with your reasoning about this being the right default given our current usage of tenants.

@knz
Copy link
Contributor Author

knz commented Feb 24, 2023

TFYR!

bors r=stevendanna

@craig
Copy link
Contributor

craig bot commented Feb 24, 2023

Build succeeded:

@craig craig bot merged commit ae2e8b8 into cockroachdb:master Feb 24, 2023
healthy-pod pushed a commit to healthy-pod/cockroach that referenced this pull request Mar 8, 2023
roachprod: pass --tenant-scope on cert gen from old binaries
9502e10 
Previously, TLS client certs were scoped to the system tenant
by default. After cockroachdb#97585, they became valid for all tenants by
default (unless `--tenant-scope` is passed).

This caused the multitenant-upgrade roachtest to fail when
certs are generated using the latest roachprod binary from
an old cockroach binary.

This change ensures that such certs are not scoped to the
system tenant only by passing `--tenant-scope`.

Release note: None
Epic: none

Closes cockroachdb#97016
@healthy-pod healthy-pod mentioned this pull request Mar 8, 2023
Closed
@herkolategan herkolategan mentioned this pull request Jun 13, 2023
Merged
craig bot pushed a commit that referenced this pull request Jun 14, 2023
@herkolategan
Merge #104772 #104777
3572499 
104772: roachtest: remove unused create tenant options r=srosenberg,stevendanna a=herkolategan

The `otherTenantIDs` field on `createTenantOptions` is no longer used.

Complimentary to this change: #97585

Epic: [CRDB-23559](https://cockroachlabs.atlassian.net/browse/CRDB-23559)

104777: roachprod: fix confusing start-up error r=srosenberg a=herkolategan

Starting a secure cluster locally does a check for certificates. In the event the certificates are not found, which is a valid case, an error is printed. The start command works correctly, but the error can cause confusion:

```bash
./bin/roachprod start local --secure
12:47:56 cluster_synced.go:2475: 0: COMMAND_PROBLEM: exit status 1
(1) COMMAND_PROBLEM
Wraps: (2) exit status 1
Error types: (1) errors.Cmd (2) *exec.ExitError:
local: initializing certs 1/1 /
local: distributing certs 2/2
12:47:59 cockroach.go:184: local: starting nodes
```

This change modifies the command to do a check without causing an error, and
also propagates any real errors that could occur while doing the check.

Epic: none

Co-authored-by: Herko Lategan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendanna stevendanna stevendanna approved these changes

@herkolategan herkolategan Awaiting requested review from herkolategan herkolategan is a code owner automatically assigned from cockroachdb/test-eng

@renatolabs renatolabs Awaiting requested review from renatolabs renatolabs is a code owner automatically assigned from cockroachdb/test-eng

Assignees
No one assigned
Labels
A-multitenancy Related to multi-tenancy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cli: the default tenant scope of cockroach cert create-client is paiful
3 participants
@knz @cockroach-teamcity @stevendanna