Jira (PDB-2039) PuppetDB node-level securing of command submission

Ryan Senior (JIRA)

unread,

Oct 7, 2015, 4:48:03 PM10/7/15

to puppe...@googlegroups.com

Ryan Senior created an issue

PuppetDB /

PDB-2039

PuppetDB node-level securing of command submission

Issue Type:	New Feature
Assignee:	Unassigned
Created:	2015/10/07 1:47 PM
Fix Versions:	PDB 3.2.0
Priority:	Normal
Reporter:	Ryan Senior

In masterless setups, it's common for the nodes to submit their own commands. This could mean that a node could submit a command on behalf of another node which is a potential vulnerability. One potential attack scenario is an attacker to submit a command on behalf of a PostgreSQL node, saying replicate me to attackernode.com.

We should have have a config option that checks the submitting node's client cert and matches that against the certname included in the payload of the command. This config option should allow commands from the nodes themselves or any node that is in the certificate whitelist.

Add Comment

This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4)

Ryan Senior (JIRA)

unread,

Oct 19, 2015, 11:44:04 AM10/19/15

to puppe...@googlegroups.com

Ryan Senior updated an issue

PuppetDB /

PDB-2039

PuppetDB node-level securing of command submission

Change By:	Ryan Senior
Sprint:	PuppetDB 2015-11- 18 4

Add Comment

Andrew Roetker (JIRA)

unread,

Oct 19, 2015, 4:11:03 PM10/19/15

to puppe...@googlegroups.com

Andrew Roetker commented on

PDB-2039

Re: PuppetDB node-level securing of command submission

I've updated master such that now there is a single function which in `command.clj` which dispatches to the various "command functions", e.g. replace-catalogs, store-reports... called `process-command`. This function (which replace a defmulti by the same name) should do the validation of the ssl-client-cn. We should also grab the cert-whitelist like we do for our pdb-routing service and use the whitelist to check if the node is authorized before we match the command client-cn and the actual client-cn.

To summarize, grab the cert-whitelist from the config, use that to make a function which takes a ssl-client-cn and the certname (retrieved from one of our entities) and will produce a fatal error if the command isn't authorized.

Add Comment

Andrew Roetker (JIRA)

unread,

Oct 20, 2015, 1:03:05 PM10/20/15

to puppe...@googlegroups.com

Andrew Roetker assigned an issue to Andrew Roetker

PuppetDB /

PDB-2039

PuppetDB node-level securing of command submission

Change By:	Andrew Roetker
Assignee:	Andrew Roetker

Add Comment

Ryan Senior (JIRA)

unread,

Oct 21, 2015, 12:14:03 PM10/21/15

to puppe...@googlegroups.com

Ryan Senior updated an issue

PuppetDB /

PDB-2039

PuppetDB node-level securing of command submission

Change By:	Ryan Senior
Story Points:	3 2

Add Comment

Kenneth Barber (JIRA)

unread,

Oct 23, 2015, 7:19:02 AM10/23/15

to puppe...@googlegroups.com

Kenneth Barber commented on

PDB-2039

Re: PuppetDB node-level securing of command submission

Original PR is getting old, I'm going to close it: https://github.com/puppetlabs/puppetdb/pull/1679, but its still there for reference.

Add Comment

Kenneth Barber (JIRA)

unread,

Oct 28, 2015, 3:30:04 PM10/28/15

to puppe...@googlegroups.com

Kenneth Barber updated an issue

PuppetDB /

PDB-2039

PuppetDB node-level securing of command submission

Change By:	Kenneth Barber
Fix Version/s:	PDB 3.2.0

Add Comment

Andrew Roetker (JIRA)

unread,

Oct 29, 2015, 1:48:05 PM10/29/15

to puppe...@googlegroups.com

Andrew Roetker commented on

PDB-2039

Re: PuppetDB node-level securing of command submission

We found a problem here, our cert-whitelist config item (when set) restricts querying and command submissions to nodes on the list. This means we can't use the cert-whitelist as a list of nodes authorized to submit commands for every node, without changing the behavior of the cert-whitelist when running masterless.