Revision 925ad2e1
b/doc/design-node-security.rst | ||
---|---|---|
130 | 130 |
candidate and then still have the power to compromise the whole cluster. |
131 | 131 |
|
132 | 132 |
To mitigate this issue, we propose the following changes: |
133 |
- Add a flag to the cluster configuration |
|
134 |
``master_capability_rapi_modifiable`` which indicates whether or |
|
135 |
not it should be possible to modify the ``master_capable`` flag of |
|
136 |
nodes via RAPI. The flag is set to ``False`` by default and can |
|
137 |
itself only be changed on the commandline. In this design doc, we |
|
138 |
refer to the flag as the "rapi flag" from here on. |
|
133 |
|
|
134 |
- Add a flag ``master_capability_rapi_modifiable`` to the cluster |
|
135 |
configuration which indicates whether or not it should be possible |
|
136 |
to modify the ``master_capable`` flag of nodes via RAPI. The flag is |
|
137 |
set to ``False`` by default and can itself only be changed on the |
|
138 |
commandline. In this design doc, we refer to the flag as the |
|
139 |
"rapi flag" from here on. |
|
139 | 140 |
- Only if the ``master_capabability_rapi_modifiable`` switch is set to |
140 | 141 |
``True``, it is possible to modify the master-capability flag of |
141 | 142 |
nodes. |
142 | 143 |
|
143 | 144 |
With this setup, there are the following definitions of "potential |
144 | 145 |
master candidates" depending on the rapi flag: |
146 |
|
|
145 | 147 |
- If the rapi flag is set to ``True``, all cluster nodes are potential |
146 | 148 |
master candidates, because as described above, all of them can |
147 | 149 |
eventually be made master candidates via RAPI and thus security-wise, |
... | ... | |
176 | 178 |
|
177 | 179 |
On cluster initialization, the following steps are taken in |
178 | 180 |
bootstrap.py: |
181 |
|
|
179 | 182 |
- A public/private key pair is generated (as before), but only used |
180 | 183 |
by the first (and thus master) node. In particular, the private key |
181 | 184 |
never leaves the node. |
... | ... | |
196 | 199 |
Adding a new node will require the following steps. |
197 | 200 |
|
198 | 201 |
In gnt_node.py: |
202 |
|
|
199 | 203 |
- On the new node, a new public/private SSH key pair is generated. |
200 | 204 |
- The public key of the new node is fetched (via SSH) to the master |
201 | 205 |
node and if it is a potential master candidate (see definition above), |
... | ... | |
204 | 208 |
new node's ``authorized_keys`` file (also via SSH). |
205 | 209 |
|
206 | 210 |
In LUNodeAdd in cmdlib/node.py: |
211 |
|
|
207 | 212 |
- The LUNodeAdd determines whether or not the new node is a master |
208 | 213 |
candidate and in any case updates the cluster's configuration with the |
209 | 214 |
new nodes information. (This is not changed by the proposed design.) |
... | ... | |
214 | 219 |
compromised RPC security should not compromise SSH security. |
215 | 220 |
|
216 | 221 |
RPC call execution in noded (on master node): |
222 |
|
|
217 | 223 |
- Check that the public key of the new node is in the |
218 | 224 |
``ganeti_pub_keys`` file of the master node to make sure that no keys |
219 | 225 |
of nodes outside the Ganeti cluster and no keys that are not potential |
... | ... | |
242 | 248 |
RPC call to the master node's node daemon as for adding a node. |
243 | 249 |
|
244 | 250 |
In the RPC call, noded will perform the following steps: |
251 |
|
|
245 | 252 |
- Check that the public key of the node to be demoted is indeed in the |
246 | 253 |
``ganeti_pub_keys`` file to avoid deleting ssh keys of machines that |
247 | 254 |
don't belong to the cluster (and thus potentially lock out the |
... | ... | |
313 | 320 |
When upgrading from a version that has the previous SSH setup to the one |
314 | 321 |
proposed in this design, the upgrade procedure has to involve the |
315 | 322 |
following steps in the post-upgrade hook: |
323 |
|
|
316 | 324 |
- For all nodes, new SSH key pairs are generated. |
317 | 325 |
- All nodes and their public keys are added to the ``ganeti_pub_keys`` |
318 | 326 |
file and the file is copied to all nodes. |
... | ... | |
333 | 341 |
~~~~~~~~~~ |
334 | 342 |
|
335 | 343 |
These downgrading steps will be implemtented from 2.12 to 2.11: |
344 |
|
|
336 | 345 |
- The master node's private/public key pair will be distributed to all |
337 | 346 |
nodes (via SSH) and the individual SSH keys will be backed up. |
338 | 347 |
- The obsolete individual ssh keys will be removed from all nodes' |
Also available in: Unified diff