Revision 0565f862
b/doc/design-node-security.rst | ||
---|---|---|
105 | 105 |
(Re-)Adding nodes to a cluster |
106 | 106 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
107 | 107 |
|
108 |
According to ``design-node-add.rst``, Ganeti transfers the ssh keys to every
|
|
109 |
node that gets added to the cluster. |
|
108 |
According to :doc:`design-node-add`, Ganeti transfers the ssh keys to
|
|
109 |
every node that gets added to the cluster.
|
|
110 | 110 |
|
111 | 111 |
We propose to change this procedure to treat master candidates and normal |
112 | 112 |
nodes differently. For master candidates, the procedure would stay as is. |
... | ... | |
192 | 192 |
- Instead of using the same certificate for all nodes as both, server |
193 | 193 |
and client certificate, we generate a common server certificate (and |
194 | 194 |
the corresponding private key) for all nodes and a different client |
195 |
certificate (and the corresponding private key) for each node. |
|
195 |
certificate (and the corresponding private key) for each node. All |
|
196 |
those certificates will be self-signed for now. The client |
|
197 |
certificates will use the node UUID as serial number to ensure |
|
198 |
uniqueness within the cluster. |
|
196 | 199 |
- In addition, we store a mapping of |
197 | 200 |
(node UUID, client certificate digest) in the cluster's configuration |
198 | 201 |
and ssconf for hosts that are master or master candidate. |
... | ... | |
248 | 251 |
design (limiting ssh keys to master candidates), but it will be |
249 | 252 |
eliminated with the second part of the design (separate ssh keys for |
250 | 253 |
each master candidate). |
254 |
- Even though this proposal is an improvement towards the previous |
|
255 |
situation in Ganeti, it still does not use the full power of SSL. For |
|
256 |
further improvements, see Section "Related and future work". |
|
251 | 257 |
|
252 | 258 |
Alternative proposals: |
253 | 259 |
|
... | ... | |
379 | 385 |
perform intra-cluster communication. Neither the keys nor the daemons will |
380 | 386 |
be affected by this design for several reasons: |
381 | 387 |
|
382 |
- The hmac key used by ConfD (see ``design-2.1.rst``): the hmac key is still
|
|
388 |
- The hmac key used by ConfD (see :doc:`design-2.1`): the hmac key is still
|
|
383 | 389 |
distributed to all nodes, because it was designed to be used for |
384 | 390 |
communicating with ConfD, which should be possible from all nodes. |
385 | 391 |
For example, the monitoring daemon which runs on all nodes uses it to |
... | ... | |
392 | 398 |
RPC requests is maintained with this design. |
393 | 399 |
|
394 | 400 |
- The rapi SSL key certificate and rapi user/password file 'rapi_users' is |
395 |
already only copied to the master candidates (see ``design-2.1.rst``,
|
|
401 |
already only copied to the master candidates (see :doc:`design-2.1`,
|
|
396 | 402 |
Section ``Redistribute Config``). |
397 | 403 |
|
398 | 404 |
- The spice certificates are still distributed to all nodes, since it should |
... | ... | |
407 | 413 |
Related and Future Work |
408 | 414 |
~~~~~~~~~~~~~~~~~~~~~~~ |
409 | 415 |
|
410 |
Ganeti RPC calls are currently done without server verification. |
|
411 |
Establishing server verification might be a desirable feature, but is |
|
412 |
not part of this design. |
|
416 |
There a couple of suggestions on how to improve the SSL setup even more. |
|
417 |
As a trade-off wrt to complexity and implementation effort, we did not |
|
418 |
implement them yet (as of version 2.11) but describe them here for |
|
419 |
future reference. |
|
420 |
|
|
421 |
- All SSL certificates that Ganeti uses so far are self-signed. It would |
|
422 |
increase the security if they were signed by a common CA. There is |
|
423 |
already a design doc for a Ganeti CA which was suggested in a |
|
424 |
different context (related to import/export). This would also be a |
|
425 |
benefit for the RPC calls. See design doc :doc:`design-impexp2` for |
|
426 |
more information. Implementing a CA is rather complex, because it |
|
427 |
would mean also to support renewing the CA certificate and providing |
|
428 |
and supporting infrastructure to revoke compromised certificates. |
|
429 |
- An extension of the previous suggestion would be to even enable the |
|
430 |
system administrator to use an external CA. Especially in bigger |
|
431 |
setups, where already an SSL infrastructure exists, it would be useful |
|
432 |
if Ganeti can simply be integrated with it, rather than forcing the |
|
433 |
user to use the Ganeti CA. |
|
434 |
- A lighter version of using a CA would be to use the server certificate |
|
435 |
to sign the client certificate instead of using self-signed |
|
436 |
certificates for both. The probleme here is that this would make |
|
437 |
renewing the server certificate rather complicated, because all client |
|
438 |
certificates would need to be resigned and redistributed as well, |
|
439 |
which leads to interesting chicken-and-egg problems when this is done |
|
440 |
via RPC calls. |
|
441 |
- Ganeti RPC calls are currently done without checking if the hostname |
|
442 |
of the node complies with the common name of the certificate. This |
|
443 |
might be a desirable feature, but would increase the effort when a |
|
444 |
node is renamed. |
|
445 |
- The typical use case for SSL is to have one certificate per node |
|
446 |
rather than one shared certificate (Ganeti's noded server certificate) |
|
447 |
and a client certificate. One could change the design in a way that |
|
448 |
only one certificate per node is used, but this would require a common |
|
449 |
CA so that the validity of the certificate can be established by every |
|
450 |
node in the cluster. |
|
451 |
- With the proposed design, the serial numbers of the client |
|
452 |
certificates are set to the node UUIDs. This is technically also not |
|
453 |
complying to how SSL is supposed to be used, as the serial numbers |
|
454 |
should reflect the enumeration of certificates created by the CA. Once |
|
455 |
a CA is implemented, it might be reasonable to change this |
|
456 |
accordingly. The implementation of the proposed design also has the |
|
457 |
drawback of the serial number not changing even if the certificate is |
|
458 |
replaced by a new one (for example when calling ``gnt-cluster renew- |
|
459 |
crypt``), which also does not comply to way SSL was designed to be |
|
460 |
used. |
|
413 | 461 |
|
414 | 462 |
.. vim: set textwidth=72 : |
415 | 463 |
.. Local Variables: |
Also available in: Unified diff