XTRADB Security
15 views
Skip to first unread message
Matt Riddell
May 20, 2017, 1:09:32 PM5/20/17
to Percona Discussion
Hi all,
I'm setting up an XtraDB cluster and everything works fine, but what stops someone from just saying they are a node and receiving all the data?
I have added 2 nodes and an arbitrator but don't think I had to do anything in terms of auth for the arbitrator
If I add another cluster node there doesn't seem to be any type of authentication
Is it done by the list of IPs on the other nodes?
Or is it something to do with wsrep_sst_auth?
I thought that wsrep_sst_auth was just for connecting to the local machine though?
Or are we supposed to secure it via iptables or something and there is no authentication?
Kenn Takara
May 21, 2017, 12:08:08 AM5/21/17
to percona-d...@googlegroups.com
Hi Matt,
By default, there is nothing to stop another node from joining the cluster.
- The cluster address is just a starting point, a node uses the list to locate a cluster.By default, there is nothing to stop another node from joining the cluster.
PXC does not authenticate (we do not verify the identity of the node), but authorization to access/join the cluster is provided through possession of the necessary keys/certs/secrets.
Authorization is provided through use of secure channels (see https://www.percona.com/doc/percona-xtradb-cluster/LATEST/howtos/encrypt-traffic.html).
For example, if SSL encryption of SST traffic is enabled ("encrypt=2" or "encrypt=4"), then the certs are verified against the CA file on the server. In this case, the possession of the correct cert is what authorizes the node to join the cluster.
For example, if SSL encryption of SST traffic is enabled ("encrypt=2" or "encrypt=4"), then the certs are verified against the CA file on the server. In this case, the possession of the correct cert is what authorizes the node to join the cluster.
Note: In general, the recommended setup is to use the same certs/keys/CA files across the cluster.
--
You received this message because you are subscribed to the Google Groups "Percona Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to percona-discussion+unsub...@googlegroups.com.
To post to this group, send email to percona-discussion@googlegroups.com.
Visit this group at https://groups.google.com/group/percona-discussion.
To view this discussion on the web visit https://groups.google.com/d/msgid/percona-discussion/d37fa032-56b7-44ec-bc0e-c5d11794573c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Kenn Takara
Software Engineer, Percona
Software Engineer, Percona
David Bennett
May 22, 2017, 6:34:02 PM5/22/17
to Percona Discussion
Hi Matt,
In addition to Kenn's comments:
The [mysqld] wsrep_provider_options concerning
cert/key setup can be passed to garbd via the -o
command line parameter. Alternatively, the cert/key options can
be specified as GALERA_OPTIONS in the /etc/default/garbd
file (Debian/Ubuntu) or /etc/sysconfig/garb (RHEL/Centos) configuration file.
--Dave
Reply all
Reply to author
Forward
0 new messages