Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

preflight check for password_secret #21491

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

preflight check for password_secret #21491

wants to merge 10 commits into from

Conversation

todvora
Copy link
Contributor

@todvora todvora commented Jan 30, 2025
edited
Loading

Description

This PR adds a preflight check for both server and data node. Each side verifies if the cluster_config collection contains a predefined and encrypted value. If not, then it will be created. If yes, then the check will try to read and decrypt it. The value is known and easy to verify. So if the decrypting fails, we know that this node uses a different password than the one that originally encrypted the value. That leads to a controlled stop of the startup and proper error message. Rather fail early and explicitly than wait till a problem occurs later, during normal operation. Failing early means fixing the problem early, before it can cause big troubles.

Motivation and Context

Fixes #21504

How Has This Been Tested?

Manually and with a unit test

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactoring (non-breaking change)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.

@todvora todvora marked this pull request as ready for review January 31, 2025 08:41
@todvora todvora requested review from bernd and moesterheld January 31, 2025 08:41
@bernd bernd requested review from a team and removed request for bernd February 3, 2025 09:24
moesterheld
moesterheld requested changes Feb 10, 2025
View reviewed changes
data-node/src/main/java/org/graylog/datanode/bindings/PreflightChecksBindings.java Outdated Show resolved Hide resolved
data-node/src/main/java/org/graylog/datanode/bindings/PreflightChecksBindings.java Outdated Show resolved Hide resolved
...log2-server/src/main/java/org/graylog2/bootstrap/preflight/PasswordSecretPreflightCheck.java
final EncryptedValue encryptedSecret = preflightEncryptedSecret.encryptedSecret();

try {
final String decrypted = encryptionService.decrypt(encryptedSecret);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unfortunately, our implementation in AESTools doesn't guarantee that the secret is identical as it modifies the key. You can reproduce that by removing a single letter from the end of a long password secret. This will still lead to problems with the keystore password.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is a problem related to this PR. For the mongodb entries encryption, this will detect any problem. Keystore reading will be a local problem that we can (and should) capture by proper error handling.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure. I would expect the check to make sure that password_secrets are identical on all nodes, no matter if they are used for encryption or anything else. This is also what the class' javadoc implies.
With the given check, there is still a margin for error which is difficult to track down. Something that we wanted to avoid with this check.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How could we fix that?

Copy link
Contributor

@moesterheld moesterheld Feb 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't thought it through completely yet, but what if we don't encrypt a constant value but the secret itself? Then, even if you can decrypt it with a shorter secret, you could still make sure that they are identical

...log2-server/src/main/java/org/graylog2/bootstrap/preflight/PasswordSecretPreflightCheck.java Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moesterheld moesterheld moesterheld requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Preflight check for password_secret
2 participants
@todvora @moesterheld