Revision 925ad2e1
| b/doc/design-node-security.rst | ||
|---|---|---|
| 130 | 130 |
candidate and then still have the power to compromise the whole cluster. |
| 131 | 131 |
|
| 132 | 132 |
To mitigate this issue, we propose the following changes: |
| 133 |
- Add a flag to the cluster configuration |
|
| 134 |
``master_capability_rapi_modifiable`` which indicates whether or |
|
| 135 |
not it should be possible to modify the ``master_capable`` flag of |
|
| 136 |
nodes via RAPI. The flag is set to ``False`` by default and can |
|
| 137 |
itself only be changed on the commandline. In this design doc, we |
|
| 138 |
refer to the flag as the "rapi flag" from here on. |
|
| 133 |
|
|
| 134 |
- Add a flag ``master_capability_rapi_modifiable`` to the cluster |
|
| 135 |
configuration which indicates whether or not it should be possible |
|
| 136 |
to modify the ``master_capable`` flag of nodes via RAPI. The flag is |
|
| 137 |
set to ``False`` by default and can itself only be changed on the |
|
| 138 |
commandline. In this design doc, we refer to the flag as the |
|
| 139 |
"rapi flag" from here on. |
|
| 139 | 140 |
- Only if the ``master_capabability_rapi_modifiable`` switch is set to |
| 140 | 141 |
``True``, it is possible to modify the master-capability flag of |
| 141 | 142 |
nodes. |
| 142 | 143 |
|
| 143 | 144 |
With this setup, there are the following definitions of "potential |
| 144 | 145 |
master candidates" depending on the rapi flag: |
| 146 |
|
|
| 145 | 147 |
- If the rapi flag is set to ``True``, all cluster nodes are potential |
| 146 | 148 |
master candidates, because as described above, all of them can |
| 147 | 149 |
eventually be made master candidates via RAPI and thus security-wise, |
| ... | ... | |
| 176 | 178 |
|
| 177 | 179 |
On cluster initialization, the following steps are taken in |
| 178 | 180 |
bootstrap.py: |
| 181 |
|
|
| 179 | 182 |
- A public/private key pair is generated (as before), but only used |
| 180 | 183 |
by the first (and thus master) node. In particular, the private key |
| 181 | 184 |
never leaves the node. |
| ... | ... | |
| 196 | 199 |
Adding a new node will require the following steps. |
| 197 | 200 |
|
| 198 | 201 |
In gnt_node.py: |
| 202 |
|
|
| 199 | 203 |
- On the new node, a new public/private SSH key pair is generated. |
| 200 | 204 |
- The public key of the new node is fetched (via SSH) to the master |
| 201 | 205 |
node and if it is a potential master candidate (see definition above), |
| ... | ... | |
| 204 | 208 |
new node's ``authorized_keys`` file (also via SSH). |
| 205 | 209 |
|
| 206 | 210 |
In LUNodeAdd in cmdlib/node.py: |
| 211 |
|
|
| 207 | 212 |
- The LUNodeAdd determines whether or not the new node is a master |
| 208 | 213 |
candidate and in any case updates the cluster's configuration with the |
| 209 | 214 |
new nodes information. (This is not changed by the proposed design.) |
| ... | ... | |
| 214 | 219 |
compromised RPC security should not compromise SSH security. |
| 215 | 220 |
|
| 216 | 221 |
RPC call execution in noded (on master node): |
| 222 |
|
|
| 217 | 223 |
- Check that the public key of the new node is in the |
| 218 | 224 |
``ganeti_pub_keys`` file of the master node to make sure that no keys |
| 219 | 225 |
of nodes outside the Ganeti cluster and no keys that are not potential |
| ... | ... | |
| 242 | 248 |
RPC call to the master node's node daemon as for adding a node. |
| 243 | 249 |
|
| 244 | 250 |
In the RPC call, noded will perform the following steps: |
| 251 |
|
|
| 245 | 252 |
- Check that the public key of the node to be demoted is indeed in the |
| 246 | 253 |
``ganeti_pub_keys`` file to avoid deleting ssh keys of machines that |
| 247 | 254 |
don't belong to the cluster (and thus potentially lock out the |
| ... | ... | |
| 313 | 320 |
When upgrading from a version that has the previous SSH setup to the one |
| 314 | 321 |
proposed in this design, the upgrade procedure has to involve the |
| 315 | 322 |
following steps in the post-upgrade hook: |
| 323 |
|
|
| 316 | 324 |
- For all nodes, new SSH key pairs are generated. |
| 317 | 325 |
- All nodes and their public keys are added to the ``ganeti_pub_keys`` |
| 318 | 326 |
file and the file is copied to all nodes. |
| ... | ... | |
| 333 | 341 |
~~~~~~~~~~ |
| 334 | 342 |
|
| 335 | 343 |
These downgrading steps will be implemtented from 2.12 to 2.11: |
| 344 |
|
|
| 336 | 345 |
- The master node's private/public key pair will be distributed to all |
| 337 | 346 |
nodes (via SSH) and the individual SSH keys will be backed up. |
| 338 | 347 |
- The obsolete individual ssh keys will be removed from all nodes' |
Also available in: Unified diff