pgwire/hba: fix the HBA parser#43779
Merged
craig[bot] merged 1 commit intocockroachdb:masterfrom Jan 7, 2020
Merged
Conversation
Member
|
This change is |
4f73ef2 to
0727897
Compare
0727897 to
33b6119
Compare
madelynnblue
approved these changes
Jan 7, 2020
pkg/sql/pgwire/hba/scanner.go
Outdated
| }{ | ||
| {r: rule{`[ \t\r,]*` /*******/, func(l *lex) (bool, error) { return false, nil }}}, | ||
| {r: rule{`#.*$` /************/, func(l *lex) (bool, error) { return false, nil }}}, | ||
| {r: rule{`[^", \t\r,]+,?` /**/, func(l *lex) (bool, error) { l.checkComma(); l.Value = l.lexed; return true, nil }}}, |
Contributor
There was a problem hiding this comment.
comma appears twice here
Contributor
Author
There was a problem hiding this comment.
wow nicely spotted. Fixed.
Previously, the HBA rule parser would not properly support the pg split format for separate address and netmask. When the 4th column of a rule in the setting `server.host_based_authentication.configuration` is an IP address, the 5th column is expected to be an IP netmask. Prior to this patch, the HBA parser would not recognize the netmask syntax and instead expect a simple number of bits set (which is not valid pg syntax). This patch fixes this and adds the corresponding tests. Additionally, this patch replaces the HBA rule parser by one inspired from pg's own implementation, so as to ease future maintainance. Release note (bug fix): When the 4th column of a rule in the setting `server.host_based_authentication.configuration` is an IP address without a mask length (e.g. `1.2.3.4` instead of `1.2.0.0/16`), CockroachDB now properly interprets the 5th column as an IP netmask, as per https://www.postgresql.org/docs/current/auth-pg-hba-conf.html.
33b6119 to
87e150d
Compare
Contributor
Author
|
TFYR! bors r+ |
craig bot
pushed a commit
that referenced
this pull request
Jan 7, 2020
43764: storage: change command registration to declare if ro/rw r=irfansharif a=irfansharif This PR reworks parts of #26916. It's not strictly necessary, but is a quality of life improvement. There are also miscellaneous cleanups around TeeEngine, RocksDB benchmarks, etc. Previous to this we relied on engine.NewReadOnly's runtime panics when receiving writes to ensure that read-only commands do not accidentally write data. By changing the command registration process to have commands declare upfront whether they are read-only or read-write, we can plumb in engine.Reader or engine.ReadWriter respectively. It's nice rely on the type system to assert these guarantees. NB: There's still the unaddressed wart that is replica read code paths operating off an engine.ReadWriter. Changing this out would require a refactor of replica evaluation code paths, which I'm not doing now. This PR however paves the way for that. Release note: None 43779: pgwire/hba: fix the HBA parser r=knz a=knz Previously, the HBA rule parser would not properly support the pg split format for separate address and netmask. When the 4th column of a rule in the setting `server.host_based_authentication.configuration` is an IP address, the 5th column is expected to be an IP netmask. Prior to this patch, the HBA parser would not recognize the netmask syntax and instead expect a simple number of bits set (which is not valid pg syntax). This patch fixes this and adds the corresponding tests. Additionally, this patch replaces the HBA rule parser by one inspired from pg's own implementation, so as to ease future maintainance. Release note (bug fix): When the 4th column of a rule in the setting `server.host_based_authentication.configuration` is an IP address without a mask length (e.g. `1.2.3.4` instead of `1.2.0.0/16`), CockroachDB now properly interprets the 5th column as an IP netmask, as per https://www.postgresql.org/docs/current/auth-pg-hba-conf.html. Co-authored-by: irfan sharif <irfanmahmoudsharif@gmail.com> Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
Contributor
Build succeeded |
craig bot
pushed a commit
that referenced
this pull request
Jan 7, 2020
43726: pgwire: clarify the special cases as pre-defined HBA rules r=knz a=knz First commit from #43779. This PR is needed ahead of fixing #31113, which will require supporting `local` HBA rules. Prior to this patch, the authentication code was relatively complex to understand: - the code path to use the HBA configuration would only be activated if the cluster setting was set. There was a special case if it wasn't. The special case was in the per-conn auth logic. - the special case for the root login escape was also present in the per-conn auth logic. - every time the cluster setting would be updated, the result of parsing the setting was cached as-is, and the textual strings re-interpreted over and over upon every connection. This complexity can be interpreted as a defect, for the main reason that **the per-conn auth code should be as simple as possible** to facilitate security audits and future maintainance. Additionally, an argument could be made that the per-conn re-interpretation of the result was a performance mishap. This patch aims to simplify the per-conn auth logic by folding all the special casing as pre-defined rules in the HBA configuration: - the default logic (when the cluster setting is empty or invalid) becomes a predefined HBA configuration with just two rules: host all root all cert host all all all cert-password - each time the config is loaded from a cluster setting, the root escape is implemented by force-inserting `host all root all cert` at the start of the configuration. With this in place, the auth logic can be simplified to always and exclusively use the HBA rules. This special casing can also be inspected in the output of `/debug/hba_conf`. Additionally, this patch optimizes the code by pre-normalizing upfront when the setting is updated. Normalizing includes: - unicode-normalizing and case-folding usernames, since the username upon new connection is also normalized and case-folded. - expanding lists of multiple usernames into multiple rules, so that the checking code can be simplified to only check one username per rule. Release note (security): The authentication code for new SQL connections has been simplified to always use the HBA configuration defined per `server.host_based_authentication.configuration`. The format of this file generally follows that of `pg_hba.conf` as defined here: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html. Upon each configuration change, CockroachDB auto-magically inserts the entry `host all root all cert` as a first rule, to ensure the root user can always log in with a valid client certificate. If the configuration is set to empty, or found to be invalid in the cluster setting, the following default configuration is automatically used: host all root all cert host all all all cert-password At any moment the current configuration on each node can be inspected using the `/debug/hba_conf` URL on the HTTP endpoint. The list of valid authentication methods is currently: - `cert`, for certificate-based authentication over a SSL connection exclusively; - `cert-password`, which allows either cert-based or password-based authentication over a SSL connection; - `password` for password-based authentication over a SSL connection; - `gss` for Kerberos-based authentication over a SSL connection, enabled when running a CCL binary and an Enterprise license. In effect CockroachDB treats all the `host` rules as `hostssl`, and behaves as per a default of `hostnossl all all all reject`. It is not currently possible to define authentication rules over non-SSL connections: as of this writing, non-SSL connections are only possible when running with `--insecure`, and on insecure nodes all the authentication logic is entirely disabled. This behavior remains equivalent to previous CockroachDB versions, and this change is only discussed here for clarity. Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
Contributor
Author
|
(found while working on #31113) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, the HBA rule parser would not properly support the pg
split format for separate address and netmask.
When the 4th column of a rule in
the setting
server.host_based_authentication.configurationisan IP address, the 5th column is expected to be an IP netmask.
Prior to this patch, the HBA parser would not recognize the netmask
syntax and instead expect a simple number of bits set (which is not
valid pg syntax).
This patch fixes this and adds the corresponding tests.
Additionally, this patch replaces the HBA rule parser by one inspired
from pg's own implementation, so as to ease future maintainance.
Release note (bug fix): When the 4th column of a rule in the setting
server.host_based_authentication.configurationis an IP addresswithout a mask length (e.g.
1.2.3.4instead of1.2.0.0/16),CockroachDB now properly interprets the 5th column as an IP netmask,
as per https://www.postgresql.org/docs/current/auth-pg-hba-conf.html.