[MCOL-5019] creating different keys with cskeys on all nodes can break cluster(key not distributed properly) Created: 2022-03-18  Updated: 2023-10-31

Status: Confirmed
Project: MariaDB ColumnStore
Component/s: N/A
Affects Version/s: 6.2.1, 6.2.3
Fix Version/s: Icebox

Type: Bug Priority: Major
Reporter: Richard Stracke Assignee: Alan Mologorsky
Resolution: Unresolved Votes: 2
Labels: configuration, encryption


 Description   

Usual process also on installation is

cskeys on every node.
cspasswd on every node
mcsSetConfig CrossEngineSupport Password on every node

cskeys creates a key on /var/lib/columnstore/.secrets
cspasswd creates an encrypted passwordstring based on this key.
mcsSetConfig write the encrypted passwordstring to Columnstore.xml

This works properly,
but if a change was done on Columnstore.xml (usually on node 1),
the Columnstore.xml will be distributed to all nodes,
but not the key.

Afterwards we have the situation, that
keys ( /var/lib/columnstore/.secrets) are different on every node,
but encrypted passwordstring in Columnstore.xml are the same on all nodes, based on the key on node1.

Workarround:

run cskeys on a one node
 
copy /var/lib/columnstore/.secrets to every other node
 
run cspasswd on each node

Suggestion:

If Columnstore distribute Columnstore.xml, it have also to distribute /var/lib/columnstore/.secrets (if any),
if Section:CrossEngineSupport Value:Password was changed in Columnstore.xml

 Comments   
Comment by Richard Stracke [ 2023-04-19 ]

It seems a safer solution is to store the key on data1, which is a shared folder.

On Primary:
 
sudo cskeys /var/lib/columnstore/data1
 
 
 
On all nodes:
 
sudo cspasswd /var/lib/columnstore/data1 <password> | sudo tee --append /var/lib/columnstore/data1/encpw.txt
 
sudo mcsSetConfig CrossEngineSupport Password | sudo cat /var/lib/columnstore/data1/encpw.txt

Generated at Thu Feb 08 02:54:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.