Skip to content

Commit

Permalink
rpc: *almost* use tenant client certs (on tenants)
Browse files Browse the repository at this point in the history
As of this commit, tenants would use their proper tenant client certs if
it weren't for a manual override that was added.

This override exists because the KV layer can not yet authenticate
tenant client certs (this will change soon, in a follow-up to cockroachdb#50503).

However, uncommenting both the override and the hack in
`pkg/security/securitytest/test_certs/regenerate.sh` to make the tenant
client certs match those used by the KV nodes gives early validation
that this "will work" once the KV side plays ball.

Touches cockroachdb#47898.

Release note: None
  • Loading branch information
tbg committed Jul 31, 2020
1 parent 4c65002 commit 1843152
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 4 deletions.
10 changes: 6 additions & 4 deletions pkg/rpc/context.go
Original file line number Diff line number Diff line change
Expand Up @@ -717,13 +717,15 @@ func (ctx *Context) grpcDialOptions(
if ctx.Config.Insecure {
dialOpts = append(dialOpts, grpc.WithInsecure())
} else {
// TODO(tbg): complete this logic to use tenant client certs if ctx.tenID is
// not the system tenant.
const tenant = false
var err error
var tlsConfig *tls.Config
if !tenant {
// TODO(tbg): remove this override when the KV layer can authenticate tenant
// client certs.
const override = true
if override || ctx.tenID == roachpb.SystemTenantID {
tlsConfig, err = ctx.GetClientTLSConfig()
} else {
tlsConfig, err = ctx.GetTenantClientTLSConfig()
}

if err != nil {
Expand Down
24 changes: 24 additions & 0 deletions pkg/rpc/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,30 @@ func (ctx *SecurityContext) GetClientTLSConfig() (*tls.Config, error) {
return tlsCfg, nil
}

// GetTenantClientTLSConfig returns the client TLS config for the tenant, provided
// the SecurityContext operates on behalf of a secondary tenant (i.e. not the
// system tenant).
//
// If Insecure is true, return a nil config, otherwise retrieves the client
// certificate for the configured tenant from the cert manager.
func (ctx *SecurityContext) GetTenantClientTLSConfig() (*tls.Config, error) {
// Early out.
if ctx.config.Insecure {
return nil, nil
}

cm, err := ctx.GetCertificateManager()
if err != nil {
return nil, wrapError(err)
}

tlsCfg, err := cm.GetTenantClientTLSConfig()
if err != nil {
return nil, wrapError(err)
}
return tlsCfg, nil
}

// getUIClientTLSConfig returns the client TLS config for Admin UI clients, initializing it if needed.
// If Insecure is true, return a nil config, otherwise ask the certificate
// manager for a TLS config configured to talk to the Admin UI.
Expand Down

0 comments on commit 1843152

Please sign in to comment.