Revision 575b31bf doc/design-node-security.rst
| b/doc/design-node-security.rst | ||
|---|---|---|
| 46 | 46 |
|
| 47 | 47 |
- the ssh host keys (public and private) |
| 48 | 48 |
- the ssh root keys (public and private) |
| 49 |
- node daemon certificates (the SSL client certificate and its
|
|
| 49 |
- node daemon certificate (the SSL client certificate and its |
|
| 50 | 50 |
corresponding private key) |
| 51 | 51 |
|
| 52 | 52 |
Concerning ssh, this setup contains the following security issue. Since |
| ... | ... | |
| 330 | 330 |
candidate. |
| 331 | 331 |
- Whether the master candidate's certificate digest match their entry |
| 332 | 332 |
in the candidate map. |
| 333 |
- Whether no node tries to use the certificate of another node. In |
|
| 334 |
particular, it is important to check that no normal node tries to |
|
| 335 |
use the certificate of a master candidate. |
|
| 333 | 336 |
|
| 334 | 337 |
|
| 335 | 338 |
Crypto renewal |
| ... | ... | |
| 340 | 343 |
renewed (among others). Option ``--new-cluster-certificate`` renews the |
| 341 | 344 |
node daemon certificate only. |
| 342 | 345 |
|
| 343 |
Additionally to the renewal of the node daemon server certificate, we |
|
| 344 |
propose to renew all client certificates when ``gnt-cluster |
|
| 345 |
renew-crypto`` is called without another option. |
|
| 346 |
|
|
| 347 | 346 |
By adding an option ``--new-node-certificates`` we offer to renew the |
| 348 |
client certificates only. Whenever the client certificates are renewed, the
|
|
| 347 |
client certificate. Whenever the client certificates are renewed, the |
|
| 349 | 348 |
candidate map has to be updated and redistributed. |
| 350 | 349 |
|
| 351 |
If for whatever reason there is an entry in the candidate map of a node |
|
| 352 |
that is not a master candidate (for example due inconsistent updating |
|
| 353 |
after a demotion or offlining), we offer the user to remove the entry |
|
| 354 |
from the candidate list (for example if cluster verify detects this |
|
| 355 |
inconsistency). We propose to implement a new option called |
|
| 356 |
|
|
| 357 |
:: |
|
| 358 |
gnt-cluster renew-crypto --update-candidate-map |
|
| 359 |
|
|
| 360 |
TODO: describe what exactly should happen here |
|
| 350 |
If for whatever reason, the candidate map becomes inconsistent, for example |
|
| 351 |
due inconsistent updating after a demotion or offlining), the user can use |
|
| 352 |
this option to renew the client certificates and update the candidate |
|
| 353 |
certificate map. |
|
| 361 | 354 |
|
| 362 | 355 |
|
| 363 | 356 |
Further considerations |
Also available in: Unified diff