From 35beb9c6f09a0307b4f4d7376631546174e95502 Mon Sep 17 00:00:00 2001 From: djshow832 <873581766@qq.com> Date: Mon, 4 Mar 2024 18:54:02 +0800 Subject: [PATCH 1/3] add design --- ...-03-04-certificate-based-authentication.md | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 docs/design/2024-03-04-certificate-based-authentication.md diff --git a/docs/design/2024-03-04-certificate-based-authentication.md b/docs/design/2024-03-04-certificate-based-authentication.md new file mode 100644 index 00000000..4b55bfa8 --- /dev/null +++ b/docs/design/2024-03-04-certificate-based-authentication.md @@ -0,0 +1,85 @@ +# Proposal: Certificate-Based Authentication + +- Author(s): [djshow832](https://github.com/djshow832) +- Tracking Issue: https://github.com/pingcap/tiproxy/issues/464 + +## Abstract + +This proposes a design of supporting certificate-based authentication on TiProxy. + +## Background + +TiDB supports certificate-based authentication. It validates the certificate requirements that are claimed by `require subject`、`require issuer`、`require san`, and `require cipher` clauses. + +TiProxy supports both client-side and server-side TLS but it doesn't support cert-based authentication. Users connect to TiProxy with one certificate, but TiProxy connects to TiDB with another certificate. TiDB validates the certificate from TiProxy but not the one from the user, so the user fails to login. + +## Goals + +Support all of `require subject`、`require issuer`、`require san`, and `require cipher` options. + +## Proposal + +### Basic Steps + +1. A signing certificate is placed on TiProxy once TiProxy is deployed. The signing certificate is the same as the one specified by `session-token-signing-cert` on TiDB. +2. When a client connects to TiProxy, TiProxy reads the subject, issuer, SAN, and cipher of the client certificate and generates a signature by the signing certificate. +3. TiProxy connects to TiDB and passes the subject, issuer, SAN, and cipher of the client certificate, together with the signature, in the connection attribute field of the handshake packet. +4. TiDB reads the data from the connection attribute. It validates the TLS information by checking the signature with the signing certificate `session-token-signing-cert`. +5. TiDB then checks the subject, issuer, SAN, and cipher against the requirement in the system table `mysql.user`. + +This is similar to JWT. TiProxy doesn't need to validate the certificate by itself. Instead, it uses the signing certificate to make TiDB trust itself and then passes the client certificate information to TiDB. + +### Signing Certificate + +The signing certificate should be exactly the same as that of TiDB. Thus, you can treat the certificate as the passport among the instances. We can do more things based on the signing certificate. The address of the certificate is defined by the same configuration as TiDB: `session-token-signing-cert` and `session-token-signing-key`. + +The certificate may be renewed anytime, so TiProxy periodically reloads the certificates to avoid expiration. At the same time, TiDB should retain the old certificate for a while just in case a user logs in during the certificate renewal. + +1. TiProxy reloads the signing certificate every 10 minutes and always generates the signature by the latest signing certificate. +2. TiDB also reloads the signing certificate every 10 minutes, but it retains the old one in memory for 15 minutes. +3. When a user logs in, TiDB validates the signature by the latest signing certificate first. +4. If it fails, TiDB then validates the signature by the old certificate, if the old one has expired in less than 15 minutes. + +The certificate is generated manually or automatically, according to the deployment method. + +- Since TiUP generates the signing certificate automatically on TiDB, it also generates it automatically on TiProxy. +- TiDB-Operator doesn't generate the signing certificate automatically and requires users to generate it. +- For manual deployment, users should generate the signing certificate manually. + +### Token + +Firstly, TiProxy generates a JSON-format payload, such as `{"subject": "...", "issuer": "...", "SAN": "...", "cipher": "..."}` and then generates the signature from the payload. + +The key-values in the connection attribute field are as follows: + +``` +tiproxy-cert-info: {"subject": "...", "issuer": "...", "SAN": "...", "cipher": "..."} +tiproxy-cert-signature: ... +``` + +The keys are prefixed by `tiproxy-` to avoid overwriting client key-values. + +TiDB removes these key-values after handshake so that users won't see them in system tables. + +### Compatibility + +Since it requires the code change from TiDB, it only supports TiDB v8.1 and later versions. Also, TiUP automatically generates the signing certificates on TiProxy in later versions. + +## Alternative Proposals + +### TiProxy-side Validation + +An alternative is to validate the client certificate on the TiProxy side. The client certificate requirement is stored on the TiDB side. We have some ways to obtain them. + +- Configure the requirements on TiProxy: We can configure the same certificate requirements on TiProxy. This requires automatic or manual operations every time a user is created, altered, or dropped to keep the certificate requirements the same as that of TiDB. +- Fetch Requirements from TiDB: TiProxy fetches the certificate requirements from TiDB, in either a pull or push way. The prerequisite is that TiDB needs to authenticate TiProxy, so TiDB needs to define a system user for TiProxy and TiProxy should store the password for the system user. + +Both ways make TiProxy more heavy-weighted compared with using connection attributes. + +### Upload Certificate to TiProxy + +Every time a new kind of certificate requirement is created, a certificate with the same information should be created and placed on TiProxy. For example, when the administrator creates a user `u1` with clause `REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA"`, he should also create a certificate with cipher `EDH-RSA-DES-CBC3-SHA` and place it on TiProxy. + +When `u1` connects to TiProxy, TiProxy reads the cipher `EDH-RSA-DES-CBC3-SHA` from the client certificate information and then chooses the local certificate with the same cipher to connect to TiDB. Thus, TiDB won't deny the connection. + +The problem is the complexity of creating and uploading certificates, which is not easy to use. From 24081c23abca400929e2700a08b6ffd65acf74c4 Mon Sep 17 00:00:00 2001 From: djshow832 <873581766@qq.com> Date: Tue, 5 Mar 2024 11:47:16 +0800 Subject: [PATCH 2/3] add show status --- ...24-03-04-certificate-based-authentication.md | 9 +++++++-- docs/imgs/cert-tls.png | Bin 0 -> 13109 bytes 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 docs/imgs/cert-tls.png diff --git a/docs/design/2024-03-04-certificate-based-authentication.md b/docs/design/2024-03-04-certificate-based-authentication.md index 4b55bfa8..63e3b6b9 100644 --- a/docs/design/2024-03-04-certificate-based-authentication.md +++ b/docs/design/2024-03-04-certificate-based-authentication.md @@ -13,9 +13,14 @@ TiDB supports certificate-based authentication. It validates the certificate req TiProxy supports both client-side and server-side TLS but it doesn't support cert-based authentication. Users connect to TiProxy with one certificate, but TiProxy connects to TiDB with another certificate. TiDB validates the certificate from TiProxy but not the one from the user, so the user fails to login. +Besides, statements `SHOW STATUS` and `STATUS` currently show different results. `SHOW STATUS` shows the TLS information between TiProxy and TiDB, while `STATUS` shows the TLS information between the client and TiProxy. + +TLS certificates are different + ## Goals -Support all of `require subject`、`require issuer`、`require san`, and `require cipher` options. +- Support all of `require subject`、`require issuer`、`require san`, and `require cipher` options. +- The TLS information of `SHOW STATUS` and `STATUS` are consistent. ## Proposal @@ -25,7 +30,7 @@ Support all of `require subject`、`require issuer`、`require san`, and `requir 2. When a client connects to TiProxy, TiProxy reads the subject, issuer, SAN, and cipher of the client certificate and generates a signature by the signing certificate. 3. TiProxy connects to TiDB and passes the subject, issuer, SAN, and cipher of the client certificate, together with the signature, in the connection attribute field of the handshake packet. 4. TiDB reads the data from the connection attribute. It validates the TLS information by checking the signature with the signing certificate `session-token-signing-cert`. -5. TiDB then checks the subject, issuer, SAN, and cipher against the requirement in the system table `mysql.user`. +5. TiDB replaces the TiProxy TLS information with the information in the connection attribute. It uses new TLS information to validate certificate requirements and output to `SHOW STATUS`. This is similar to JWT. TiProxy doesn't need to validate the certificate by itself. Instead, it uses the signing certificate to make TiDB trust itself and then passes the client certificate information to TiDB. diff --git a/docs/imgs/cert-tls.png b/docs/imgs/cert-tls.png new file mode 100644 index 0000000000000000000000000000000000000000..515d1dcc40dea1831f66b28da0fd6e3a9ff5c372 GIT binary patch literal 13109 zcmeI3S6GwF*XSXHj#L2wfhZs#O$|kHgJpWJ;5r+`1yzBhF)QK$!)E$ndm zsrAGs=h)>WX|s|M`*61iuWC8_H~Bhfz_3|M9T~W+2=L|MLmug|qAs zv_-h#vp;%aV8<=c{Q1lj0)v!MWu4~uqh|-5%>9Zu~ zzw`j~2)Y#d$52!#CO|#hxhA52>J#j<_vcU`Za_U!utMEGmB~QZ{Bx-PDEMy+{zt)o zFOmOv@ZZbk|G^fq!f-IV$p<}uuPxT-#W~;kZpFz-XgBYV-g_=IMUuc$zrlt2^ywN@ zeO<|S2WJfRb;hQTPI~gl?cFq}&h7y=Bnw&wLTUBMEp1qO3t33r&FjeAPRF|H?l<0^ zGTX7qot5~PF5RDdbArgo#noBCwk9V(O-NRgIkx5@|A*juMD*vf|PpM~E0jxf+j;@g<_UzX3w9L>5b zV8sBm`h4164?^}1X`2Xf&q;6aeyKUG=J4p*D3LiQq<<$Jypd*i@*9)5j39a$275+@ zf*U)OOET0*Lm~^=ItzQX@rt|9d5p!R{cy=*x-w0_!dq8#iqj)FU4R|AY{-`HLQ(Ky zjHdxq@dDSzV)prswly!rI}%|wAw$5z=xq|-Q*#nHEKnDzFU9b01?@arp8BMBDQ5R` zq<}~oV{e2@`l+Z*F`ph%?xC*gdqSpE}Qmm|R&dn>#@q5U=j^ z8deso6jo6<=kWwg zYS%gPXqs$RtX7w%oDPFmXEL!R3OeyeAEOXrZdHd?prAFk0t2>*5g(*>v|07zA>n^Ff}Ite8da9cqqIYyyKkgr%cY1BqLa%|btf z){ifL$YX%mCs3g#va55?03u$_eFBpu352a3ag2fgZefOMnB+E)Ebar|4TmiNM^yhO zNp@;*KT|Rv4(l=L^+*T#&FtBJ`#|+^yhu1~lD3P5fDpWRw<(}gO=vg6Osdf(Y)uo; z1)K|lt{=WL$cy5qw2fr*<60cwAI|V29fa$ha{s#e)e+3DD|f>gk`~hiG*+%Cka^`ohA`JW-m&IjiTUzbAHJrudhGVCe?P*N7dR(1Zwd0FS6KxMQM)#G&r34(iYGl zd(mn1{zJS+ZG$g-3L|i!dkz^kVkqlWm_vyys8MG@wRR0JbVF}DVlR2G1(-za`qukb zhs22;dkomyR1%0-ZswG8z#z|HDJa#8pM(8YEoTMih`zPShjAm@K77G>=8mTTp(26b zCrBxLzL%cuEoQ$j&>PJe->Tg0B0BlqrK{$k2A|}-A&l$GQgMkF*6^ANUR8_EcvxI_ z`W*5oq{8tNCp2{LzD4mbM>S6dLMzI4tzS1?5;^zLSlq_5Wb@^f=atmWRC|nmUoK<(&Ij3bJ59|<2n`K&wzm&YdK2@ZU&he{LUKQ9 zKPDhxp>$p^yHu@R53hc!V?;zm1ibE%9HN2>2XCZES!DENDq+;qi)GRH_`K%k97uL< zQibjjh_gF7I@;Y=TMpU!Q(=q;m!C?8HjI0OZk{h|lOy{?MK}0;6B>2TnLeaGLG7uU6cPMl&=)Kw;301F0qrA znMW(Ts{U6wzJU+#Ue>6HWo>=Jj^=_9`*egukH@U9)UWo>`z)Suq9aBN2X%L+`=-?1 z^D`PBLyXoL6`X1Hk{r9$w$q=l*Vvp>lz^OmUQOf0begBf3f94JbXaPP zNwrGLIUtB%O1srJl){Ib`|vXz>e5peyyEdxP!+WYY^5D5(@Ud1Z?U&ZRZ~XSi~1UZ zHX6<=_BrQ{5X2x3;88m~)G1Frao#cZ?ZT_mXe|GP&ApG@Q>;;t(l_`qtW5a;8tPB9 zPnywbi~4nLkqCQo+Pa_wCd4vIoEnQ3YLFvNc?Z3X2M6p*-`cslfl2e{t=(N57F4K7 z;wt2POh}YhXE-hfnWY`ITb*u3Ugz*}N;-%)Qbd)5cCG1IGgc?>C0JMm)%-|GKs;4F ze>M$+T#c{qAv|Pu9?MV5&^SDT^d0Da`EVgVHPnAc#3BW!p2<}xdCp3{Dtz;NP=~%L zdEkD1<`bCEkfqXucO-AesPXHS{g9VeP(@)y>(aK-s_9LsVrV=}W@T1G?67^E(RcOH ze&*DrraQZS&MPlQr_P=cmwS$7J1Jk-_hReFjxGSvq~7r>@TB()i8!NJYpS;MjE`sc z5>#3eVkMsxzNy4GJ>QpuDADO)7B|XvoIqb2elCrIZ&%sa42%ui573Z;R=Lum-NWYh z1JXrw$o-bKO>+Aly(}g?_GuU{DteL z^E5$&y_aPJ2u&Y;A*o7EHNs3KMk?EN;xs zLsNo)lXR*DZRA7EH$iLnOawYhB)?EK@WLhTGT<(1dSx+$)!bLB_e_OlzusJfst|lO zqp@Cy2h)LpYCgox-5ibfcBLdL`qXDh=C5A$lx>BO4@tE|xqOkQF1+Y_5%7Ebsxif` z{rFv&5G(9LO%hbHyV7y>pyVZ#dh|9}&Mpn35O`?ol6r*oXHlCyod156nd?{)f%9X# zPW%~J`Nf!e&hBaDwRnmy5oBmU?@0vRkHwG7TxB`58r+XF1m~l;8(&?guDyEM_8S37 z`0%+?7zuYuc_C*FA}$QL0IOs&W@RXqzO=EXe?{q7-Nm@UeY9lK+@=IX@yxtjizRWw3x|H+)Tw5 z68hyLh52UA(^$STY$?!YifT7PAP{(ZTFu8WJ`kre0UYK%{4hz&31{+X8T4&UB(0df z%&WZdXwaxIy!#2g@OFV1>5?!`u9lEkAXGS~AJePxYR|*0#_mE3#%R1E|1E8$kglsQ zmbUFM(F%qgPa2ySVQ&JZa24&=l&5-tzJ%&t%P_>{MzN`6`!LXTRbLU?$@ zk`m`^+WlnjysqW#!JGSQR0*)se5cWPY0wK;PhMxhQ%;8IJ#C2Gb>)u_ z+Swex^h-!GSPtGqt>xFUtVw%H6q^;pcDgtWb5pyFZp(lxS=a7*gUcDBXfBE0sJKg< zYyh{hZ4479*a}^6jD#RR#BdUp3Mw1)v|Rld2<&t0Z4pA?gx*hglWK{2DwJydDR&8N z*sNs)%vRs-_FDyB2zsP}=H2cy5I)#M?frdU|{8-4&v|R1QSE{=-f4b=kO33o^0eRHCF7 z-A`&gO>}CsqOEaM!$77-By!gw#qYBgs|{ks7KgukAUFXuz$upc<}yW8KH}L2oKD3+ z9~i_P#dkE+ar9qUPwYH#0w#v%k6N@m1%qJo_=>cm!aLrBQ7=m4Vbp;9pc_{C8x$4v zDlrMz1H=RbE&#?~;I3x+Evx6U=OEq{kZ_9fIq^7%2@D?s4>=z>$t89>~{TLL$x-vAOkpapdU)MSF=^Tkv^djsU6H&=ki z(fm(~Qz~{27rD7orj`HA_{MEuo^5xn-nUam z6fg=JQivC0Aatq7WLm@lB!)lWdX+U`utBeTZfRP8`L$x476Dnxte@6bH2#($U{6@V zPZzM}4F}_)ez3fdmR|d-+%^EAJp59ACmIMSS(UPh#qJdArUcwlEaL}Eqp*_fh7IqC zESmg2C>sN~U<@aI&;XbSmM6d^__quzn;LG5XdwD~*^yVA&v;k$aq1%-&4+-yF~4&9 z$O^cPpqJ{L*$72xQmd67whF*h+$JQ4ya4kW*MEFt^ItxY2~5OGW~F!AjUvP30&;Nh z6kxS0aaYasxF}XTmJq=ND2rDc|3r`nu-Zgm7pC-{v?j!2%5}8C4VcPMjftB&2#CNg zsHv&_`1;<#IWX|+=GN9+`5nNQ;P#f+@`2H>?@FrDqbPCF;XWyN-)+=oe*F}B{v}TN z3Hxv3@_sR~bXf*eQnd;)q`~ES-M?S?{#ejMA3)+lfsC$TzzWI{cn}b06*MCyceA06jauVm19~1>N{sM2Y`fmwd!2%mjVelf!TsWvA zi=CYQUn|=(;Pyv9V0I(5Ta(lNwT_`j2fIHGb~g+Jk`$8NRUg+)k9kl7M`Nnpk2tC8Y(2y=314F|M3(^YoDNop^ zklQOKX{|lTXV`Je2oblhwy+i9G-|8tmvF#^ERqj@jngAtesniIIV^EN!ofbB{IQFM z91^DiQIq^C$!Z~kFD?ZSmsoD+6ksq?qiL3BlYXyARg<)Lv-o?cgA6fz_X5!KP0wy>|n{*+4KRU6?z{Zm7&PpI(4DEQaJ706rbBUHT)I0@s z4%?iiZ!jyd^^4qH;2O^~7Z-Qy6h9g+e>`(u^qSiDcnjZoxY^SrkYc=8Vx?WZ69d7D zR%Ry*4$0Ztt&O|Ybb#mZ-TMBJXRxl8>8SVKSf!p>w=4(l?b037qANh)Sqs>2=IFeP z@!FHuGY_&u4vc+g7qbh7LN`*Ye&D_|SIXqMkI7e10-Tv_6~=j20g-khn8*?sGIW;G z{0B_vq*9@0%iodmT&PS<_EqNQyJ1`XD+NQJe(m;5yOC2l8Ry*1NzWB9<{jo@pVr-+ zNi2v^ENQYp@x}PX)W@C;&jGjmTX1sDw@GL3pL`W}KKhyTPFdYJEXcYw$l8;tT=0e- zr5eYBACpB}NMP3?8IIut#i0=>xbtJtA)FyQTSMSn& z4(igoX3p>DV;-?dN#?SWi3t`1vW_4`5=$#gV9=WzRT_*MFxumXiNhLG$aGty~^NtY))2C3(rburOrUcI3QO&0pbvMRbFg~g#z7K`Dx1^`GA79tyO11 zwbQE+q&z(d^6X2RXVCF`s0ll}2}b*o{dzrznAgK#;_I8-(!60Ov@p>c1VI1*2rq7G zUTLLw7PZouikxQ3z`W4~{WUJ5BO_(pjVbYbKFHxdQhFnMEOQg=)bHXA7G^L_izbWi zszA`<#&`I5Y0IMk34&1YJ#%kqVTDXtyy!7PtKU^M$H9+HCrc{+dvGyXahJhI{_5^+ zMkdJ>&P#MF@>tSa&td~O#7LPv+2Ylw#veyqqlcFXS}m09pyB?7kTVA7o)6bbHZfp!DYUxW8ieQB=C-Nijj={1= z!Yu2e?5ZbBb~>-n3p9#e96z1bh(Fq%64tPvQeQK4NM}2GP~)m0g=bMegs%GRtc95i zogQ4I_OWYh>a54A!K3Zd8W)CbS1*c@w2!v88h?xgZwKw)-~Dh56bZd-)_fQVTlpFP z*iD@Cr##@Ovot{yEP)fN?Z^;98xeY?o2+h@Mm#>+Yt|9`SS67rl-HLVzH|s;>G|>N*^twMPO3JuKvm3Bl zGp=GRC9X%_-0w47ELc3rBlnB4Hbj86VakZ7bzyO|7o%3%v8TT@E5>&4Ed6n5X{mNx zIgq=P+9M_SlCN2&rE><|nawO)_Dp1GR=#WqQLS`!m|bY`k(>)?Mq12DwjH$?n4gZs zvUO^NB39cIJV>eQ*m1en825~%GEF_@D^nvQF4{U8D%XrJE4^X>Gx1&wBEC*na34?sW4J$dqx%lku8X|xgl!QZrTRn%*cCBaTfqeiFkbm97HX@_`n#LIe{bt_OU%S=Bz_i-05h{+QnQ-C+r$%pVb%Wa5+qKWoGZ1=6 z_r!y`9!%^gu8?kT)XW{iR+`->$W0CEz9Dz=?lIpD^pW-zfA2v{iL*r)GzZJwbj-yA zn{~$cBBfCiIn>WIY->yMhpthPiEaLAcMPSQ^cVs3A5 z-@?Mmsx3R;uPMK*E{PAbj93TgNL;tuP9JMbosIZ`;kbX=>7%8Ht5b|qYfituJz96E zoSQc$`84~@f3CO?2}d# z4pr;{oXY-O36cHmp6*~YACc&S%NIOY_Zd7IBHO^H6Xzp0Ns~Va+y(c>&ol?PN27 zB<~lui|a-L)Hr6mX1_UdPTZPCdAEG2A^7C@WabGH>=g1w`ZmG$g>_-`h407qeXgA) zpXXMpiQ5ltJ*X|qhGnZrN>ys*4xE!63i$7d3?=(q@L&J_PV+ zY&nGjMxEBOx6Gka<+0rl_Sqtmx~i-Z-dW#1FZb1S+N78{2Z*E7-WXUpG2Q3y$dB(v zr)gXf;+;uyq#Y%%oOn>Z?pM#+0~d!0GvY0vRKN7A(i0f|_w~eqZ#tJv$W@=PacbAhf0#jNn)# zy!2|_q9u(gs$xX?nva2kvNJA~=nZIAF2ZCZUnyYnT$~~dxWg8M`cZZh9wrm3zCUI2 zOMyK6tkT022wEYQ3x{VWwCZ)tI^*(f#%xYYHnVBy8;0?ave#zr?Ax>jA(AxSYK{UWNN0VX@#n$+-CRxWKOtS519YUxX!v*XddJ$;c7df{H40IU4zq)2f(LituE zVtLCp&3Sw-DWijPd--aSG0^d&d!V3NlQz4$`!brGj{%!(bvwag&SpVx! zKM9inewNXd@-Q(Q^)!=uWP6Pf6r_pVEUA`9HBbbffXVLvDzllMolF#k4)!gNxvDEw z)PF$|0(}PFhHBd;iR2Uo*CFbvl!(jxKrCR}+(pT{a01Gc>gjz zskgq-O#Oog~_^kC#28Q|DHHU`*_CI zhr2Jb4%C;`P_2i>A$EqFy)Q;5@2ft`(XkQYBiYx~6jJYxbA>@(ytpyd;OdarBjd^E z=@8RDBZ1>b?QYCxQj+2!@fEe%dnxl(F1tR}RJavnv zcEVXXVC7fAnb=!}9p_{PmVuaOWwo2ER;H#$2@N^pv8v^hzeejd%C&+fyMfrxV=wYp zZxk-AZ8bEGnLx~{@tG@`Tt0N~!S0XnaN_b=TlJ(P1%yK`Bd+zJYfpfJoG+W-cnPz! z%i$CB%-;I7ysQ9lgLJpKeofOW5Ym+cAk-u|SF{U{mT7De6e%%YMi_TPvf3xiXGiay z4)@?pLomI?PmKu!U_ZIPtuI*8E(aJnYS!JH0T)&a0EjoTR_!${BpF19Ho(gf8zIW{)|8RFDXsoisx&L`>_0b+1|J<&-Zg}V7BF)azb-1FGTFyqrF z<|*mg?pxTs*+lWVu(|_UMD2{&GErr>HY7qLVeGYi?a}I-G(5272f4R7+2)AM?CYZR zaBF7oP&vvjlczMYy8ss(l31?im1z2r17~vY{W~YnH(0jLi8O=zz_D^ahr3EHcC4>p zlnuMc>Z7{jeK4TcJ-&>1)g%WUo1GQs@8lXSvunJ2o1m_;5T<4+oW9Fw%PCwEiR`P5 zOT*}?F%nXj!;1{hqSgXM63)qT7db$T>Q*-dB)o)A9E8>w&vvvMXTdsf%j(P9?QfJ* z=9ugME6V@q!|)oYn<{L%W4r_=B>L3?+;evWxJskMD?e`P{KiAcWdwj+H0<-uW_Q_g z)1Vs826gpZp}>(f>9i6#tMU)O#<6|+IqGT~#Y-n}&{yvxZi3}0BrgBHAk&+_09L7Q zu-Nmy3DW$kY=7p)92^V0#y zoT0Vx0FgrG@B_YOqP6f1_i4+yp7`}(m6NY>@2h}cC6h&K1f|3!h09e;y{?hPt zE`^;HB1CQgrC1GArsfL`6x6p7m$*R}Lb*nvp+}Bbx+hxf65tO9F(T-~GqcPJfD%V? zp9xNC{ic<#vYxq(%K%umKD5Y2fkG>XbjPfVRgG<&JL~J}x+gAG6gHe4=*Zy0d3ta! znpOcLE%M|ZnE&R@K6@%4S|EjHhB>A5G6U#Pd0N7Qs!Z(_8-yKTy@l3a&;FJXTZJ{2 zD+IuYp^|WloGt)5DBioa37GD17v(@z2Qf#|=fbMapU)#6K%gh?Y%of67bff8f@OzYp$Vj<0C z|7fC|?xnIhFtfLJ>CSST`pX9~|C0cCs~fFA1}zWvKxtb+x%e1NK&mHQjU zyAc%AGUwf?5@R}d#rCw~)k`7(H7|JMW?@Wm&7kGF^8)ZkfWNUgb$J_5;CPi{Zj%Y^ z_VT#Pg9i`zn=Q*7W0c%`=~2o6q+XiX+xFTAh-&v-n%$IX>r-C2G3#$p3cku{VHN*w zY0Gyon^&S9Dm)dIkPwJ~kdPv96VEg9y!h0O2G~V(Gx=!W86dSEdG#3?DmfT(V1g%3 zoQsT%e17VNJ8JEsb7#DuGjQKurFeT5!~6Nc)uaIwypEQpVUc{XsMVDEQn0wo`axg) zYLh!*rh_7qcV2PtTf}O0^#0tBp3JzY`|1pXRE+AE32!BWZ7BI+Ts{CkQo!MDTsV@ z79a49aIMWK1u3H-7rfA)Z$J`uyA*7(;q0{G%g!*3k-`8$*GYS; ztDT^4qp5h=`jUmkf_RH=UJh?KWYN|});gfUSg@?=$N8uYl&YKJ&E9MrpO-pAvJ8YI zSZdeY^v1GuOroA!qR$y+RpFeTpuSgRe03MeI0x6f6l zcpY#7DulCg!Vh9R7NUt~V!d~UH$%>Fqu{JXKGiD}Uayv%rQLXBj~TnQfaLrjhK|;N z$6K3WZj|;Oq(`_iUXyW6XTO|#mnjNyYzqi{Et+~u zWNyI>zvEL1TayaQUsq$&O~F2{CoZ|4j%@IjNSprDC-zPcHXkd5BnC0yMwJ(QiAEUG z(1jZOl?=bT$I&#HUultSgiWl;_Lrlh3?;6+9*0EiwY|*dvQ%U=y+1#Fz?_sxo-=S| zxpY+B)pYCVS!mU-`r0}zUpWcHxFdWy;e90A#3qpH7vnEv>}6)agm}B~OWMg%;p@(O zfvXqQs8PcpA9RYQt*J!kG1LXx%AU$(R~@S@c65^E1rwnVJ#Dq>7jG*KU=AmE9n4U0 zMP0fe&L~zvWk+k_Jaq;3n(t4f8c6pqR9HlIICDXnaS)^JkyeZ6j<%9gFv!dB38*aF zcLKrn@;M$%BW&j_xQd=S*Oa=a?7A5*?lAk*OI_B=?xy5D?9K5u(Z~2)Lss(;pw25R z9RA=8QssrN!F)%57NahE8V2eZo4b(M*(<-p16lw(e%IR`=}s;5by(=7^{V+shd{pF zT{v>1sh$2+K8ud_{G=ay5HQ%tkQKnuWMx6k_hGkB1dS5xJ5%ItWM98=9DP{%tISDb zd76|tzh`9;N_&7wb+qe=q*)qg`$`OJtB!w-Nd=;mXfyFYGx(z>+}jA)#BDQ;9sVfC2CBb(Xyb5a{wX*h zV~selvzPT0o&RG>Kw)`pgtjBsAC>GAlp?zk=fM+{^1c6=5)7zWhii(IGyWmtf7JdT iwg3O Date: Wed, 6 Mar 2024 14:41:30 +0800 Subject: [PATCH 3/3] add common name --- ...-03-04-certificate-based-authentication.md | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/docs/design/2024-03-04-certificate-based-authentication.md b/docs/design/2024-03-04-certificate-based-authentication.md index 63e3b6b9..dc836c19 100644 --- a/docs/design/2024-03-04-certificate-based-authentication.md +++ b/docs/design/2024-03-04-certificate-based-authentication.md @@ -11,9 +11,9 @@ This proposes a design of supporting certificate-based authentication on TiProxy TiDB supports certificate-based authentication. It validates the certificate requirements that are claimed by `require subject`、`require issuer`、`require san`, and `require cipher` clauses. -TiProxy supports both client-side and server-side TLS but it doesn't support cert-based authentication. Users connect to TiProxy with one certificate, but TiProxy connects to TiDB with another certificate. TiDB validates the certificate from TiProxy but not the one from the user, so the user fails to login. +TiProxy supports both client-side and server-side TLS but it doesn't support cert-based authentication. Users connect to TiProxy with one certificate, but TiProxy connects to TiDB with another certificate. TiDB validates the certificate from TiProxy but not the one from the user, so the user fails to log in. -Besides, statements `SHOW STATUS` and `STATUS` currently show different results. `SHOW STATUS` shows the TLS information between TiProxy and TiDB, while `STATUS` shows the TLS information between the client and TiProxy. +Besides, statements `SHOW STATUS` and `STATUS` currently show different results. `SHOW STATUS` shows the TLS information between TiProxy and TiDB, while `STATUS` shows the TLS information between the client and TiProxy. There even exists a case when one TLS is enabled while the other is disabled. TLS certificates are different @@ -72,12 +72,12 @@ Since it requires the code change from TiDB, it only supports TiDB v8.1 and late ## Alternative Proposals -### TiProxy-side Validation +### Validate Certificate in TiProxy An alternative is to validate the client certificate on the TiProxy side. The client certificate requirement is stored on the TiDB side. We have some ways to obtain them. -- Configure the requirements on TiProxy: We can configure the same certificate requirements on TiProxy. This requires automatic or manual operations every time a user is created, altered, or dropped to keep the certificate requirements the same as that of TiDB. -- Fetch Requirements from TiDB: TiProxy fetches the certificate requirements from TiDB, in either a pull or push way. The prerequisite is that TiDB needs to authenticate TiProxy, so TiDB needs to define a system user for TiProxy and TiProxy should store the password for the system user. +- Configure requirements on TiProxy: We can configure the same certificate requirements on TiProxy. This requires automatic or manual operations every time a user is created, altered, or dropped to keep the certificate requirements the same as those of TiDB. +- Fetch requirements from TiDB: TiProxy fetches the certificate requirements from TiDB periodically, either from the SQL port or the HTTP port. The prerequisite is that TiDB needs to authenticate TiProxy. Caching usernames and requirements is less safe. Besides, the cached requirements have a time lag. Both ways make TiProxy more heavy-weighted compared with using connection attributes. @@ -87,4 +87,12 @@ Every time a new kind of certificate requirement is created, a certificate with When `u1` connects to TiProxy, TiProxy reads the cipher `EDH-RSA-DES-CBC3-SHA` from the client certificate information and then chooses the local certificate with the same cipher to connect to TiDB. Thus, TiDB won't deny the connection. -The problem is the complexity of creating and uploading certificates, which is not easy to use. +The problem is the complexity of creating and uploading certificates, which is not easy to maintain. + +### Authenticate TiProxy Based on CN + +Instead of validating the signature, TiDB can also validate the CN(Common Name) of the TiProxy certificate to ensure it's trustworthy. This is similar to the cluster TLS validation in TiDB. TiDB configures an allowed CN list in `security.cluster-verify-cn` and rejects other CN. + +However, this requires that the TLS between TiProxy and TiDB must be enabled, which may be not true when TiProxy and TiDB are in the same VPC. + +The advantage is that it will be easier for certificate renewal. Certificates don't need to be renewed at the same time for all instances.