[MDEV-27246] Implement a method to add IPs to allowlist for Galera Cluster node addresses that can make SST/IST requests Created: 2019-10-10 Updated: 2023-03-22 Resolved: 2022-08-02 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Authentication and Privilege System, Galera, Galera SST, wsrep |
| Fix Version/s: | 10.10.1 |
| Type: | Task | Priority: | Blocker |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Jan Lindström (Inactive) |
| Resolution: | Fixed | Votes: | 3 |
| Labels: | Preview_10.10, galera, ist, security, sst, wsrep | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Description |
|
Currently, as long as a node has access to Galera Cluster's TCP ports, it is allowed to make SST/IST requests. In general, no authentication is performed. Current Security MethodsCurrently, there are basically two ways to prevent an unauthorized node from making SST/IST requests: 1.) Use firewall rules to prevent unauthorized hosts from accessing the Galera Cluster ports. https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports 2.) Configure your nodes to require TLS with certificate validation. This would have to be done separately for SSTs and ISTs. For mariabackup SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls For rsync SSTs, there is some information about how to configure TLS here: https://mariadb.com/kb/en/library/introduction-to-state-snapshot-transfers-ssts/#rsync For ISTs, there is some information about how to configure TLS here: New Requested SST/IST AllowlistSome users do not think that any of the current methods are sufficient. They would like MariaDB to implement some method that can be used to allowlist the addresses that are allowed to make SST/IST requests. How could this be implemented? Introduced a new variable called wsrep_allowlist to store Galera node IPs in the cluster. If the joiner node IP is not in the wsrep_allowlist, the Galera cluster will not allow the joiner node to join the cluster. This will help prevent unauthorized access to the cluster
-https://mariadb.com/kb/en/library/galera-cluster-system-variables/#wsrep_cluster_address- |
| Comments |
| Comment by Ralf Gebhardt [ 2019-11-29 ] | ||||||||
|
Hi seppo, please review this feature request and lets discuss this in our next call. | ||||||||
| Comment by Manjot Singh (Inactive) [ 2020-10-06 ] | ||||||||
|
Workaround: use ssl certificates in wsrep_provider_options | ||||||||
| Comment by Jan Lindström (Inactive) [ 2021-12-14 ] | ||||||||
| ||||||||
| Comment by Jan Lindström (Inactive) [ 2022-02-09 ] | ||||||||
| ||||||||
| Comment by Ramesh Sivaraman [ 2022-03-16 ] | ||||||||
|
ok to push | ||||||||
| Comment by Sergei Golubchik [ 2022-03-18 ] | ||||||||
|
galera-sst-mysqldump constantly fails in this branch, cannot push | ||||||||
| Comment by Sergei Golubchik [ 2022-03-18 ] | ||||||||
|
the branch was renamed to bb-10.9- | ||||||||
| Comment by Jan Lindström (Inactive) [ 2022-05-26 ] | ||||||||
|
New branch: preview-10.10- | ||||||||
| Comment by Jan Lindström (Inactive) [ 2022-06-06 ] | ||||||||
|
Latest version fails on regression testing | ||||||||
| Comment by Jan Lindström (Inactive) [ 2022-06-15 ] | ||||||||
| ||||||||
| Comment by Jan Lindström (Inactive) [ 2022-06-15 ] | ||||||||
|
ramesh Can you do short testing on preview version. | ||||||||
| Comment by Ramesh Sivaraman [ 2022-06-22 ] | ||||||||
|
jplindst preview version looks good. | ||||||||
| Comment by Ralf Gebhardt [ 2022-06-23 ] | ||||||||
|
ramesh, and wsrep_allowlist can be a ip4, ip6 or a hostname? Can it include wildcards? | ||||||||
| Comment by Ramesh Sivaraman [ 2022-06-23 ] | ||||||||
|
ralf.gebhardt@mariadb.com Yes, wsrep_allowlist can be IPv4 or IPv6. It does not accept wildcard IP or hostname. Galera prints warning message in error log if we use Wildcard IP or hostname.
|