server+sql: flag to disable SQL admin sessions on main SQL listener

[knz]

The problem to solve here is how to separate access to a CockroachDB service (eg CC) so that only the DBAs have access to the SQL admin role (including root) and end-users cannot use admin at all. This is important for security, to minimize the chance of escalation of privileges.

To achieve this we want to have at least two different SQL TCP ports (this issue thus depends on resolution of #44842). Then a flag to say that one of these TCP listeners does not accept/support admin sessions.

The way it would look like is a flag in the listener. The flag would be passed to the pgwire.Server. Then we'd have two checks:

• during authentication; if the listener does not accept admin sessions then we would reject the connection attempt immediately without even checking the credentials. This is necessary so that an attacker using the public-facing port cannot discover admin credentials.

• during SQL execution; every time there's a role check, the role retrieval logic would dismiss the admin role if it is observed to be inherited by the current SQL user. The idea here is to block the admin-level privileges that could be granted accidentally to the user after the session is already open.

cc @solongordon @thtruo @aaron-crl for tracking.

Jira issue: CRDB-4046

[aaron-crl]

Do we have additional context as to why we feel this is something we should solve with ports and not internal security permissions? I feel like this might not be the right place to address this concern and might lead to a more complex (rather than simplified) security strategy.

Conversely, is this perhaps a stopgap meant to reduce attack surface until we improve the granularity and consistency of internal permissions?

cc @bdarnell for his input.

[knz]

I think permissions would be sufficient to address the primary goal (restrict end-user access), assuming no (human) mistakes are made while setting up privileges/roles. Also assuming no bugs in the implementation of role/privilege lookups in SQL.

The separate port with a structural limitation on the admin bit would take care of any mixup in the definition of roles/privileges at a deeper level in the code. It's very crude but it has fewer failure modes.

(All this would be moot if we had capabilities inside the code, like you and I discussed before; however we're not there yet.)

[bdarnell]

Do we have additional context as to why we feel this is something we should solve with ports and not internal security permissions?

I think of this as defense-in-depth for CockroachCloud: we could ensure that accounts used by CC internally would only be accessible from behind the CC firewall and not from the outside world, even if their credentials were somehow compromised. (Of course, there are other ways to do this. Postgres and MySQL both let you associate an IP range with a user account limiting that user's login to those network addresses)

Conversely, is this perhaps a stopgap meant to reduce attack surface until we improve the granularity and consistency of internal permissions?

It's the other way around, unfortunately. This mechanism wouldn't become interesting until we have completed the permission refactoring and no longer give CC users full admin privileges. Until then we'd still need to support admin logins on the main public port.

Stripping the admin role from a session depending on which port it connected too feels weird and magical. It's also fairly limiting to make this specific to the admin role. For example, after the permission refactor, CC will use an account for backup/restore operations that doesn't have the full admin role, but still has fairly broad permissions. It would be nice if that account could also be restricted via this mechanism (without saying that all accounts with backup/restore permissions need to use the privileged port). I think something like using hba.conf to limit network access on a per-user basis instead of something that operates at the level of roles might make more sense.

[knz]

For example, after the permission refactor, CC will use an account for backup/restore operations that doesn't have the full admin role, but still has fairly broad permissions. It would be nice if that account could also be restricted via this mechanism (without saying that all accounts with backup/restore permissions need to use the privileged port). I think something like using hba.conf to limit network access on a per-user basis instead of something that operates at the level of roles might make more sense.

Thanks for pointing me to hba.conf. This actually reveals to me that we can use hba.conf for both use cases, assuming the following:

• we complete hba.conf support to also allow filtering by role, not just login username (pg supports this, we don't yet).

  Once this is done, we can filter out admin as described at the top of this issue.

• we add a way to distinguish listeners in hba.conf. Currently, the filtering language only supports constraints on the client IP address; we could extend it to support filtering by server listener as well.

  (To ensure the hba.conf, which is a cluster-wide setting, works on every node, the listener filter shouldn't be expressable only as a server IP address, in case the servers run on multiple DCs; it should have some notion of "listener name" too.)

  Once this is done, we can filter out admin per listener as described at the top of this issue.

By ensuring all the conf goes into the hba.conf rules, there's no magic left as the operator can then look at the rule to understand what's going on.

[knz]

Filed #51596

[knz]

Now that being said, the newly filed issue #51596 would only prevent a particular role from logging in, but would not prevent a session from gaining admin credentials after it logs in.

I would be tempted to add a new HBA config option for the session, like noadmin which says -- whatever session is created that matches this rule, must not be able to gain admin status.

What do you think?

[bdarnell]

As I said before, stripping the admin role from a session depending on which port it connected to feels weird and magical. Although in this context maybe it's less bad than a policy of "users with the admin role can't log in", because that becomes a kind of DoS if you can lock a user out by granting them too much power.

I still feel like this is a lot of complexity for the benefit it offers. We already have several layers of defense here: there is no legitimate way for a CC user to be able to grant the admin role, and the single-tenant-sql/multi-tenant-kv architecture limits the amount of exposure we'd have even if a CC user gained the admin role. Inventing new security surface area just to prevent CC users from using admin privileges doesn't seem like a good tradeoff.

[knz]

I think a lot of these discussions exist only because we have this weird and magic admin role.

If/when we have discrete permissions for all the things that matter, we would not need to special-case admin any more.

Conversely as long as admin remains a thing, we need to add safeguards so that an accidental admin grant in the wrong place does not compromise the entire cluster.

[aaron-crl]

How deeply embedded is our magical admin role? Could we break those permissions out to proper RBAC sooner rather than later and avoid this headache?