Details
-
Task
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
Description
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
Current Security Methods
Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests:
1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports.
https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports
2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs.
For mariabackup SSTs, there is some information about how to configure TLS here:
https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls
For rsync SSTs, there is some information about how to configure TLS here:
https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync
For ISTs, there is some information about how to configure TLS here:
New Requested SST/IST Allowlist
Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests.
How could this be implemented?
Introduced a new variable called wsrep_allowlist to store Galera node IPs in the cluster. If the joiner node IP is not in the wsrep_allowlist, the Galera cluster will not allow the joiner node to join the cluster. This will help prevent unauthorized access to the cluster
The most intuitive method would probably be to treat wsrep_cluster_address as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users.
-https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address-
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
MDEV-27263 Cluster bootstrap node shows duplicate wsrep allowlist IP warning messages on each restart.
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link | This issue relates to MENT-424 [ MENT-424 ] |
| Labels | galera security sst wsrep | galera ist security sst wsrep |
| Link | This issue relates to MENT-426 [ MENT-426 ] |
| Description |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. No authentication is performed. There are basically two ways to prevent an unauthorized node from making SST/IST requests at the moment:
1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation for SSTs. There is some information about how to configure TLS for mariabackup SSTs here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls However, some users do not think this is sufficient. They would like MariaDB to implement some method that can be used to whitelist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a whitelist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address We could also make this behavior optional. For example, we could create a new system variable called {{wsrep_sst_enforce_whitelist}}. If it is set to {{ON}}, then {{wsrep_cluster_address}} is treated as a whitelist for SST/IST requests. If it is set to {{OFF}}, then no whitelist is used. |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Whitelist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to whitelist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a whitelist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address We could also make this behavior optional. For example, we could create a new system variable called {{wsrep_sst_enforce_whitelist}}. If it is set to {{ON}}, then {{wsrep_cluster_address}} is treated as a whitelist for SST/IST requests. If it is set to {{OFF}}, then no whitelist is used. |
| Assignee | Jan Lindström [ jplindst ] | Ralf Gebhardt [ ralf.gebhardt@mariadb.com ] |
| Assignee | Ralf Gebhardt [ ralf.gebhardt@mariadb.com ] | Seppo Jaakola [ seppo ] |
| Fix Version/s | 10.5 [ 23608 ] |
| Issue Type | Task [ 3 ] | New Feature [ 2 ] |
| Link | This issue relates to MENT-565 [ MENT-565 ] |
| Link | This issue relates to MENT-565 [ MENT-565 ] |
Workaround: use ssl certificates in wsrep_provider_options
| Summary | Implement a method to whitelist Galera Cluster node addresses that can make SST/IST requests | Implement a method to add IPs to allowlist for Galera Cluster node addresses that can make SST/IST requests |
| Assignee | Seppo Jaakola [ seppo ] | Mario Karuza [ mkaruza ] |
| Workflow | MariaDB v3 [ 100337 ] | MariaDB v4 [ 135783 ] |
| Component/s | Authentication and Privilege System [ 13101 ] | |
| Component/s | Galera [ 10124 ] | |
| Component/s | Galera SST [ 10121 ] | |
| Component/s | wsrep [ 11500 ] | |
| Component/s | Authentication and Privilege System [ 14922 ] | |
| Component/s | Galera [ 14918 ] | |
| Component/s | Galera SST [ 14920 ] | |
| Component/s | wsrep [ 15006 ] | |
| Key |
|
|
| Affects Version/s | 10.4 [ 23604 ] | |
| Affects Version/s | 10.3 [ 23605 ] | |
| Affects Version/s | 10.2 [ 23606 ] | |
| Issue Type | New Feature [ 2 ] | Task [ 3 ] |
| Project | MariaDB Enterprise [ 11500 ] | MariaDB Server [ 10000 ] |
| Assignee | Mario Karuza [ mkaruza ] | Jan Lindström [ jplindst ] |
| Fix Version/s | 10.8 [ 26121 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
- https://github.com/MariaDB/server/pull/1966
- branch : preview-10.8-
MDEV-27246-galera-allowlist - galera-library branch : mariadb-4.x commit 71c9d8e6
| Status | In Progress [ 3 ] | In Testing [ 10301 ] |
| Assignee | Jan Lindström [ jplindst ] | Ramesh Sivaraman [ JIRAUSER48189 ] |
| Description |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Whitelist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to whitelist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a whitelist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address We could also make this behavior optional. For example, we could create a new system variable called {{wsrep_sst_enforce_whitelist}}. If it is set to {{ON}}, then {{wsrep_cluster_address}} is treated as a whitelist for SST/IST requests. If it is set to {{OFF}}, then no whitelist is used. |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Allowlist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address We could also make this behavior optional. For example, we could create a new system variable called {{wsrep_sst_enforce_allowlist}}. If it is set to {{ON}}, then {{wsrep_cluster_address}} is treated as a whitelist for SST/IST requests. If it is set to {{OFF}}, then no allowlist is used. |
| Description |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Allowlist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address We could also make this behavior optional. For example, we could create a new system variable called {{wsrep_sst_enforce_allowlist}}. If it is set to {{ON}}, then {{wsrep_cluster_address}} is treated as a whitelist for SST/IST requests. If it is set to {{OFF}}, then no allowlist is used. |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Allowlist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address We could also make this behavior optional. For example, we could create a new system variable called {{wsrep_sst_enforce_allowlist}}. If it is set to {{ON}}, then {{wsrep_cluster_address}} is treated as a allowlist for SST/IST requests. If it is set to {{OFF}}, then no allowlist is used. |
| Description |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Allowlist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address We could also make this behavior optional. For example, we could create a new system variable called {{wsrep_sst_enforce_allowlist}}. If it is set to {{ON}}, then {{wsrep_cluster_address}} is treated as a allowlist for SST/IST requests. If it is set to {{OFF}}, then no allowlist is used. |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Allowlist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address |
| Link |
This issue relates to |
| Link |
This issue relates to |
| Fix Version/s | 10.9 [ 26905 ] | |
| Fix Version/s | 10.8 [ 26121 ] |
| Assignee | Ramesh Sivaraman [ JIRAUSER48189 ] | Jan Lindström [ jplindst ] |
| Status | In Testing [ 10301 ] | Stalled [ 10000 ] |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | In Testing [ 10301 ] |
| Assignee | Jan Lindström [ jplindst ] | Ramesh Sivaraman [ JIRAUSER48189 ] |
| Link |
This issue relates to |
| Assignee | Ramesh Sivaraman [ JIRAUSER48189 ] | Jan Lindström [ jplindst ] |
| Status | In Testing [ 10301 ] | Stalled [ 10000 ] |
| Link |
This issue is part of |
| Link |
This issue is part of |
galera-sst-mysqldump constantly fails in this branch, cannot push
| Link |
This issue relates to |
| Assignee | Jan Lindström [ jplindst ] | Mario Karuza [ mkaruza ] |
| Fix Version/s | 10.10 [ 27530 ] | |
| Fix Version/s | 10.9 [ 26905 ] |
| Assignee | Mario Karuza [ mkaruza ] | Jan Lindström [ jplindst ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Assignee | Jan Lindström [ jplindst ] | Mario Karuza [ mkaruza ] |
- Set a new preview branch preview-10.10-allowlist-galera
- Local testing looks good
- Buildbot looks good
| Assignee | Mario Karuza [ mkaruza ] | Jan Lindström [ jplindst ] |
| Status | In Progress [ 3 ] | In Testing [ 10301 ] |
| Assignee | Jan Lindström [ jplindst ] | Ramesh Sivaraman [ JIRAUSER48189 ] |
| Assignee | Ramesh Sivaraman [ JIRAUSER48189 ] | Jan Lindström [ jplindst ] |
| Status | In Testing [ 10301 ] | Stalled [ 10000 ] |
| Description |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Allowlist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users. https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address |
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed.
h2. Current Security Methods Currently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For {{mariabackup}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For {{rsync}} SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/securing-communications-in-galera-cluster/#securing-galera-cluster-replication-traffic h2. New Requested SST/IST Allowlist Some users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? Introduced a new variable called {{wsrep_allowlist}} to store Galera node IPs in the cluster. If the joiner node IP is not in the {{wsrep_allowlist}}, the Galera cluster will not allow the joiner node to join the cluster. This will help prevent unauthorized access to the cluster -The most intuitive method would probably be to treat {{wsrep_cluster_address}} as a allowlist of the addresses that can make SST/IST requests., This system variable is already used to configure the addresses of the nodes in the cluster, so it would work out-of-the-box for most users.- -https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address- |
ralf.gebhardt@mariadb.com Yes, wsrep_allowlist can be IPv4 or IPv6. It does not accept wildcard IP or hostname. Galera prints warning message in error log if we use Wildcard IP or hostname.
[Warning] WSREP: Invalid IP address 192.168.100.% provided in `wsrep_allowlist` variable
|
|
|
[Warning] WSREP: Invalid IP address localhost provided in `wsrep_allowlist` variable
|
|
|
MariaDB [(none)]> select * from mysql.wsrep_allowlist;
|
Empty set (0.003 sec)
|
|
|
MariaDB [(none)]>
|
| Priority | Critical [ 2 ] | Blocker [ 1 ] |
| Fix Version/s | 10.10.1 [ 27913 ] | |
| Fix Version/s | 10.10 [ 27530 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Labels | galera ist security sst wsrep | Preview_10.10 galera ist security sst wsrep |
| Zendesk Related Tickets | 105280 |
Hi seppo, please review this feature request and lets discuss this in our next call.