WIP: Add support for authentication via TLS certs to remote CIB operations #3738
+425
−77
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The only actual code change here is moving setting the server/user/pass variables down until just before they're needed.
Move all the function calls out from inside if blocks where they're hiding, test for error afterwards, and jump to the done label if there was an error. This is just to make the flow of what's actually happening easier to follow.
Note that the gnutls docs mention that larger logging levels (like 10 that we are using here) can potentially reveal sensitive information. However, what we are doing here should be okay because it would require the administrator to enable pacemaker logging at the debugging level and if that's happening, they are probably trying to debug a problem that could be helped by the increased gnutls logging.
This function just checks whether all the environment variables needed to support x509 encryption are set or not. Typically, they'll be set in the sysconfig file.
No other changes for the moment - just allow taking this type and print it out in the error message.
This just handles everything that needs to be done during initial setup, before a remote connects and performs the handshake. Log error messages if they occur - there's plenty of opportunities for things to fail here. Ref T365
...from the client. Because we can only require an older version of gnutls, we have to manually set up a verification callback function. Once we can require a later version (see the patch), we can get rid of most of this code and have gnutls automatically verify the cert. Ref T365
We can only check a cert once the gnutls handshake has finished. However once that happens, the server and client can both grab their own certificate and see if it's within a month of expiration. If so, log that as a warning.
This does not explain how to set up your own CA, public/private key pairs, etc. That seems beyond the scope of pacemaker documentation.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The issue to be solved is adding TLS certs to Pacemaker Remote operations. However, remote CIB operations are a more standalone area so it's easier to develop and test that out first. What I've tested out on this:
What remains to be done:
daemons/based/based_remote.cdoesn't appear to clean up any gnutls stuff on exitI've removed distinguished names from the todo list. Comparing DNs seems pretty fraught - they can include unicode characters, they could potentially be in different orders, parts can be missing, etc. Most people suggest not comparing them as strings, and I can't find any references to a library that'll do it for us. gnutls doesn't seem to have any function for that, at least not a public one. I guess I'd just suggest handing out one cert to each client and if something comes up, revoke that cert.