Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Meta] Security Plugin Bootstrapping Improvements #1630

Closed
peternied opened this issue Feb 18, 2022 · 7 comments
Closed

[Meta] Security Plugin Bootstrapping Improvements #1630

peternied opened this issue Feb 18, 2022 · 7 comments
Assignees
@peternied
Labels
feature-proposal

Comments

@peternied
Copy link
Member

peternied commented Feb 18, 2022
edited
Loading

Background

When installing the security plugin, there are features that need to be turned on in concert to work together. Many options require thoughtful values that need to be carefully copied while others are carefully modified. Hardcoded demo certifications have been used and while that resolves the coping configurations it creates an illusion of security. There should be an established security baseline.

Problem

How should an OpenSearch instance with security startup in a way that is secure when:

  • There might be multiple nodes
  • There might be no access to external networks
  • There is limited time to configure the system

Related issues

Round up additional issues
@peternied peternied added the enhancement New feature or request label Feb 18, 2022
@peternied peternied self-assigned this Feb 18, 2022
@peternied peternied added feature-proposal and removed enhancement New feature or request labels Feb 18, 2022
@peternied
Copy link
Member Author

[Proposal] Automatically sign / share certs with a trust on first use mode

After start-up, autogenerate self-signed certificates are used for communication. Once the ClusterManager is selected, a certification changeout process occurs where the ClusterManager creates its own CA cert, it rotates its existing self-signed cert with a fresh cert signed from the CA cert. Then the nodes begin rotation process where they provide the with a new cert that the ClusterManager signs, and they replace their cert.

This would require new APIs for certificate handoff related activities, but would also work in standard certification rotations. There also needs to be a way to make sure not just any node can insert itself into the signing related processes.

@peternied
Copy link
Member Author

[Proposal] Support certification authority such as ACM Private CA or Lets Encrypt

In the configuration, add a way to identify the certificate management system, then add smaller for interaction with the various certificate authorities. Limitation of this process is that it requires all the nodes to be able to communicate with the external service, impact potential adoption.

@peternied
Copy link
Member Author

peternied commented Feb 18, 2022
edited
Loading

[Proposal] OpenSearch Clients handshake with OpenSearch for trusted communication channel

With an additional API that clients could attempts on first connect, establishes the trusted connection without resorting to system level CA cert installations.

@peternied
Copy link
Member Author

@setiah What do you think about some of these proposals?

@peternied
Copy link
Member Author

@setiah could you incorporate some of these ideas into the admin experience?

@setiah
Copy link

setiah commented May 4, 2022

[Proposal] Automatically sign / share certs with a trust on first use mode

After start-up, autogenerate self-signed certificates are used for communication. Once the ClusterManager is selected, a certification changeout process occurs where the ClusterManager creates its own CA cert, it rotates its existing self-signed cert with a fresh cert signed from the CA cert. Then the nodes begin rotation process where they provide the with a new cert that the ClusterManager signs, and they replace their cert.

This would require new APIs for certificate handoff related activities, but would also work in standard certification rotations. There also needs to be a way to make sure not just any node can insert itself into the signing related processes.

I am not sure if I understood the proposal fully, but I am aligned with the overall idea of removing demo certs and replacing them with auto-generated self-signed certificates out of the box. There are technical challenges we might need to think through such as how does this work for multi-node cluster

Could you please elaborate more on the approach and define ClusterManager and what it does.

@peternied
Copy link
Member Author

We proposed to use "ClusterManager" as the replacement to the node role "master", after hearing opinions from PR #564.

From opensearch-project/OpenSearch#472 (comment)

This cluster startup process came from Trust on First Use (TOFU) that is also compliable for clusters that are inside a secured network.

Note: closing this issue

I realize that I did not included any context when I I closed this issue; while this is desired to make improvements in this space we are not actively working on these improvements or proposals. We can certainly revive them in future efforts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peternied peternied

Labels
feature-proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peternied @setiah