[MDEV-27246] Implement a method to add IPs to allowlist for Galera Cluster node addresses that can make SST/IST requests - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Fix Version/s: 10.10.1
Component/s: Authentication and Privilege System, Galera, Galera SST, wsrep
Labels:
- Preview_10.10
- galera
- ist
- security
- sst
- wsrep

Description

Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.

Current Security Methods

Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests:

1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports.

https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports

2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs.

For mariabackup SSTs, there is some information about how to configure TLS here:

https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls

For rsync SSTs, there is some information about how to configure TLS here:

https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync

For ISTs, there is some information about how to configure TLS here:

https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic

New Requested SST/IST Allowlist

Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests.

How could this be implemented?

Introduced a new variable called wsrep_allowlist to store Galera node IPs in the cluster. If the joiner node IP is not in the wsrep_allowlist, the Galera cluster will not allow the joiner node to join the cluster. This will help prevent unauthorized access to the cluster

The most intuitive method would probably be to treat wsrep_cluster_address as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users.

-https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address-

Attachments

Issue Links

relates to

MDEV-6385 MariaDB Galera Authentication between nodes and SST

Closed

MDEV-27263 Cluster bootstrap node shows duplicate wsrep allowlist IP warning messages on each restart.

Closed

MDEV-27275 Galera cluster joiner node does not properly parse the IPv6 address from the wsrep allowlist.

Closed

MDEV-28146 SST via mysqldump crash when testing MDEV-27246-galera-allowlist

Closed

MDEV-27874 Cluster node is not updating mysql.wsrep_allowlist table on restart

Closed

Activity

Ascending order - Click to sort in descending order

View 9 older comments

Jan Lindström (Inactive) added a comment - 2022-06-15 05:24 - edited

Set a new preview branch preview-10.10-allowlist-galera
Local testing looks good
Buildbot looks good

Jan Lindström (Inactive) added a comment - 2022-06-15 05:24 - edited Set a new preview branch preview-10.10-allowlist-galera Local testing looks good Buildbot looks good

Jan Lindström (Inactive) added a comment - 2022-06-15 12:17

ramesh Can you do short testing on preview version.

Jan Lindström (Inactive) added a comment - 2022-06-15 12:17 ramesh Can you do short testing on preview version.

Ramesh Sivaraman added a comment - 2022-06-22 12:36

jplindst preview version looks good.

Ramesh Sivaraman added a comment - 2022-06-22 12:36 jplindst preview version looks good.

Ralf Gebhardt added a comment - 2022-06-23 09:59 - edited

ramesh, and wsrep_allowlist can be a ip4, ip6 or a hostname? Can it include wildcards?

Ralf Gebhardt added a comment - 2022-06-23 09:59 - edited ramesh , and wsrep_allowlist can be a ip4, ip6 or a hostname? Can it include wildcards?

Ramesh Sivaraman added a comment - 2022-06-23 11:04 - edited

ralf.gebhardt@mariadb.com Yes, wsrep_allowlist can be IPv4 or IPv6. It does not accept wildcard IP or hostname. Galera prints warning message in error log if we use Wildcard IP or hostname.

[Warning] WSREP: Invalid IP address 192.168.100.% provided in `wsrep_allowlist` variable

[Warning] WSREP: Invalid IP address localhost provided in `wsrep_allowlist` variable

MariaDB [(none)]> select * from mysql.wsrep_allowlist;

Empty set (0.003 sec)

MariaDB [(none)]>

Ramesh Sivaraman added a comment - 2022-06-23 11:04 - edited ralf.gebhardt@mariadb.com Yes, wsrep_allowlist can be IPv4 or IPv6. It does not accept wildcard IP or hostname. Galera prints warning message in error log if we use Wildcard IP or hostname. [Warning] WSREP: Invalid IP address 192.168.100.% provided in `wsrep_allowlist` variable [Warning] WSREP: Invalid IP address localhost provided in `wsrep_allowlist` variable MariaDB [(none)]> select * from mysql.wsrep_allowlist; Empty set (0.003 sec) MariaDB [(none)]>

People

Assignee:: Jan Lindström (Inactive)

Reporter:: Geoff Montee (Inactive)

Votes:: 3 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2019-10-10 17:53

Updated:: 2024-07-07 21:01

Resolved:: 2022-08-02 17:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server