Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

server: support check the "CommanName" of tls-cert for status-port(http/grpc) #15137

Merged
merged 6 commits into from
Mar 5, 2020
Merged

server: support check the "CommanName" of tls-cert for status-port(http/grpc) #15137

merged 6 commits into from
Mar 5, 2020

Conversation

lysu
Copy link
Contributor

@lysu lysu commented Mar 4, 2020

What problem does this PR solve?

add CN check for TiDB's http/grpc API

What is changed and how it works?

  • add configuration
  • config check hook in http/grpc server
  • add test

Check List

Tests

  • Unit test
  • Manual test (add detailed scripts or steps below)
remove https://github.com/pingcap/tidb/compare/master...lysu:check_CN_between_tidbs?expand=1#diff-209d74aa1a4826e6cf6e0b29455087c7R221
and install self-signed CA to operation-system

Code changes

  • n/a

Side effects

  • n/a

Related changes

  • Need to cherry-pick to the release 3.0

Release note

  • Write release note for bug-fix or new feature.

This change is Reviewable

@lysu lysu added needs-cherry-pick-3.0 security Everything related with security labels Mar 4, 2020
@lysu lysu requested review from imtbkcat and jackysp March 4, 2020 14:05
@codecov
Copy link

codecov bot commented Mar 4, 2020

Codecov Report

Merging #15137 into master will not change coverage by %.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             master     #15137   +/-   ##
===========================================
  Coverage   80.2595%   80.2595%           
===========================================
  Files           503        503           
  Lines        132388     132388           
===========================================
  Hits         106254     106254           
  Misses        17737      17737           
  Partials       8397       8397           

server/http_status.go Outdated Show resolved Hide resolved
server/http_status.go Outdated Show resolved Hide resolved
config/config.go Outdated Show resolved Hide resolved
@lysu lysu requested a review from gregwebs March 5, 2020 06:16
@@ -310,6 +312,32 @@ func (s *Server) setupStatusServerAndRPCServer(addr string, serverMux *http.Serv
}
}

func (s *Server) setCNChecker(tlsConfig *tls.Config) *tls.Config {
if tlsConfig != nil && len(s.cfg.Security.ClusterVerifyCN) > 0 {
cns := strings.Split(s.cfg.Security.ClusterVerifyCN, ",")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great if we could parse these configurations ahead of time. This value is essentially an array of strings. Another method of configuration (API Call or testing interface) would like to actually give an array. Actually, TOML supports arrays as well, so it seems like only the CLI would need to give an unparsed string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, it's better using arrays, we don't need cli or sysvar, changed

gregwebs
gregwebs previously approved these changes Mar 5, 2020
func (ts *tidbTestSuite) TestStatusAPIWithTLSCNCheck(c *C) {
c.Skip("need add ca-tidb-test-1.crt to OS")
root := filepath.Join(os.Getenv("GOPATH"), "/src/github.com/pingcap/tidb")
ca := filepath.Join(root, "/tests/cncheckcert/ca-tidb-test-1.crt")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test really could not pass on windows :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this case also need install ca to operation system for linuxer, so c.Skip at this time 😞

Copy link
Member

@jackysp jackysp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jackysp
Copy link
Member

jackysp commented Mar 5, 2020

/merge

@sre-bot sre-bot added the status/can-merge Indicates a PR has been approved by a committer. label Mar 5, 2020
@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

/run-all-tests

@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

@lysu merge failed.

@lysu
Copy link
Contributor Author

lysu commented Mar 5, 2020

/rebuild

@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

cherry pick to release-3.0 in PR #15164

@sre-bot
Copy link
Contributor

sre-bot commented Mar 5, 2020

cherry pick to release-3.1 in PR #15165

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Everything related with security status/can-merge Indicates a PR has been approved by a committer.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants