sql,security: support storing SCRAM hashes in ALTER/CREATE USER/ROLE (scram 3/10)#74843
Merged
craig[bot] merged 1 commit intomasterfrom Jan 21, 2022
Merged
sql,security: support storing SCRAM hashes in ALTER/CREATE USER/ROLE (scram 3/10)#74843craig[bot] merged 1 commit intomasterfrom
craig[bot] merged 1 commit intomasterfrom
Conversation
Member
|
This change is |
This was referenced Jan 14, 2022
Contributor
Author
|
|
rafiss
approved these changes
Jan 14, 2022
Collaborator
rafiss
left a comment
There was a problem hiding this comment.
lgtm; i left a comment which maybe can be considered for a separate PR (or if you feel it's easy to add to this one feel free)
Reviewable status:
complete! 0 of 0 LGTMs obtained (waiting on @knz and @rafiss)
-- commits, line 28 at r1:
instead of linking to the RFC (whose instructions i find hard to follow), what are your thoughts on introducing a builtin function that does these steps? maybe crdb_internal.generate_scram_hash(salt, iter_count, stored_key, server_key)
Contributor
Author
So you'd want the client to compute the stored_key and server_key, and only use the SQL-side builtin to do the base64 encoding? |
Contributor
Author
|
NB: I'm holding off merging this PR until all the PRs in the sequence are ready (otherwise, the entire chain will be auto-closed by github). |
This commit introduces the ability to *store* SCRAM hashes. Note: in this commit they are not yet used to authenticate SQL clients. Authentication will fail if a SCRAM hash is the only credential available to a user account. Release note (sql change): The `CREATE ROLE` and `ALTER ROLE` statements now accept password hashes computed using the SCRAM-SHA-256 method, for example: `CREATE USER foo WITH PASSWORD 'SCRAM-SHA-256$4096:B5VaT...'`. As for other types of pre-hashed passwords, this auto-detection can be disabled by changing the cluster setting `server.user_login.store_client_pre_hashed_passwords.enabled` to `false`. To ascertain whether a SCRAM-SHA-256 password hash will be recognized as such, orchestration code can use the built-in function `crdb_internal.check_password_hash_format()` that had been previously introduced. The encoding of the SCRAM-SHA-256 password should be performed as follows: 1. take the cleartext password string. 2. generate a salt, iteration count, stored key and server key as per [RFC 5802](https://datatracker.ietf.org/doc/html/rfc5802). 3. encode the hash into the format recognized by CockroachDB: the string `SCRAM-SHA-256$`, followed by the iteration count, followed by `:`, followed by the base64-encoded salt, followed by `$`, followed by the base-64 stored key, followed by `:`, followed by the base-64 server key.
craig bot
pushed a commit
that referenced
this pull request
Jan 21, 2022
74301: sql,server: support SCRAM authentication for SQL sessions r=rafiss,JeffSwenson,bdarnell,aaron-crl,kpatron-cockroachlabs a=knz Fixes #42519. Fixes #74511. Informs #65117. Epic CRDB-5349 **tldr:** this PR adds support for the SCRAM-SHA-256 authentication method, as defined by IETF RFCs [5802](https://datatracker.ietf.org/doc/html/rfc5802) and [7677](https://datatracker.ietf.org/doc/html/rfc7677) and as supported by PostgreSQL. This offers [multiple security benefits](#scram-benefits) over CockroachDB's current use of cleartext password authentication. To use this feature, 1) the stored password hashes must use the SCRAM encoding (this requires a migration away from crdb's bcrypt-based hashes); and 2) one of the SCRAM authentication methods must be enabled explictly via the HBA configuration (cluster setting `server.host_based_authentication.configuration`). ### How to review this work The addition of the feature goes as follows: 1. adding HBA syntax and authentication method hooks for `scram-sha-256` and `cert-scram-sha-256`. These are gated behind a new cluster version, so that previous-version nodes do not get confused by the new syntax. Split into separate PR: #74842 2. extending ALTER/CREATE USER/ROLE WITH PASSWORD to recognize SCRAM hashes. This allows operators to use these SQL statements to populate SCRAM hashes. (This should also be seen as the more desirable way to configure SQL user accounts: it ensures that the CockroachDB node never ever sees the cleartext password of an account. Even if we later support computing the SCRAM hash server-side, pre-computing the hash client-side should be seen and documented as the superior approach.) Split into separate PR: #74843 3. extending the existing cleartext methods inside CockroachDB (used for the HTTP interface and the `password`-based methods in SQL) to compare a cleartext password to a pre-computed SCRAM hash. This ensures that the existing password mechanisms that are cleartext-based continue to work even after the stored credentials start using the SCRAM encoding. Split into separate PRs: #74844 and #74845 4. extending the code created at step 1 to actually use the stored SCRAM credentials for client authentication. This achieves the main goal. Split into separate PRs: #74846 and #74847 5. making the hash method used to encode cleartext passwords passed to ALTER/CREATE USER/ROLE WITH PASSWORD configurable, using a new cluster setting `server.user_login.password_encryption`, and exposing its value via the pg-compatible session variable `password_encryption`. This is a convenience feature - properly secured deployments should not need this, as they should use pre-hashing client-side instead (see note at point 2 above). Split into separate PR: #74848 6. making crdb auto-select SCRAM authn if the stored password uses SCRAM. This is one step to ensuring that previous-version clusters are automatically opted into SCRAM. Split into separate PR: #74849 7. Auto-upgrade the stored credentials from bcrypt to SCRAM, when enabled and possible. Split into separate PR: #74850 The reviewer is invited to consider each PR in turn, read its commit message(s) to understand the goal of that PR, then review the PR to ascertain that the implementation (and relevant tests) match the goals announced in the commit message. Co-authored-by: Raphael 'kena' Poss <knz@thaumogen.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(PR peeled away from #74301; previous PR in series #74842; next PR in series: #74844)
Epic CRDB-5349
This commit introduces the ability to store SCRAM hashes.
Note: in this commit they are not yet used to authenticate
SQL clients. Authentication will fail if a SCRAM hash is the only
credential available to a user account.
Release note (sql change): The
CREATE ROLEandALTER ROLEstatements now accept password hashes computed using the SCRAM-SHA-256
method, for example:
CREATE USER foo WITH PASSWORD 'SCRAM-SHA-256$4096:B5VaT...'.As for other types of pre-hashed passwords, this auto-detection can be
disabled by changing the cluster setting
server.user_login.store_client_pre_hashed_passwords.enabledtofalse.To ascertain whether a SCRAM-SHA-256 password hash will be recognized
as such, orchestration code can use the built-in function
crdb_internal.check_password_hash_format()that had been previously introduced.The encoding of the SCRAM-SHA-256 password should be performed as
follows:
RFC 5802.
string
SCRAM-SHA-256$, followed by the iteration count,followed by
:, followed by the base64-encoded salt, followedby
$, followed by the base-64 stored key, followed by:,followed by the base-64 server key.