Not the answer you need?
Register and ask your own question!

Cluster security

DreeDree ContributorInactive User Role Beginner
I just set up my new 2-node cluster + 1 Galera Arbitrator and found out that anyone can join the cluster, without knowing the 'wsrep_sst_auth' credentials.
To test this I set up a 4th node which is not in any of the other nodes' 'wsrep_cluster_address', but it does know the correct 'wsrep_cluster_name'.

Is this a feature I can only block by firewall, or did I forget to configure security?

Comments

  • przemekprzemek Percona Support Engineer Percona Staff Role
    The wsrep_sst_auth is actually used on the donor's side, locally, by the SST script, not from the joiner.
    Firewall is always a good practice, and running PXC inter-communication limited to a private IP network another one.
    In addition, you may use SSL for Galera traffic, as demonstrated here:
    https://www.percona.com/blog/2013/05/03/percona-xtradb-cluster-for-mysql-and-encrypted-galera-replication/
    see also the documentation:
    https://www.percona.com/doc/percona-xtradb-cluster/LATEST/howtos/encrypt-traffic.html
  • DreeDree Contributor Inactive User Role Beginner
    Thanks for your reply!
    So there's no real security built-in, everyone can join the cluster as long as the network allows it?
  • przemekprzemek Percona Support Engineer Percona Staff Role
    By default it's not enabled indeed, but don't you consider the wsrep_provider socket.ssl_* options as built-in security options?
  • DreeDree Contributor Inactive User Role Beginner
    SSL is fine ofcourse, but it does not manage who is allowed to connect to the cluster and sync all data.
    Right now, without a firewall, any host can connect to my cluster and it will sync all our data to that server.
  • DreeDree Contributor Inactive User Role Beginner
    Dree wrote: »
    SSL is fine ofcourse, but it does not manage who is allowed to connect to the cluster and sync all data.
    Right now, without a firewall, any host can connect to my cluster and it will sync all our data to that server.

    Can you confirm that this is the case?
  • Kenn TakaraKenn Takara Percona Percona Staff Role
    Without a firewall and no SSL, anyone who knows the correct port can join the cluster (and receive the SST).

    With SSL (in Galera and for encrypt=2 or encrypt=4 in the SST), PXC will perform certificate validation against the CA file. Thus only those certificates generated from the specified CA file will be allowed to connect (authorization).

    Galera, in general, views the cluster as a single entity (thus expects all nodes to hold the same SSL CA/certs/keys). So the possession of those CA/certs/keys authorizes the node as a member of the cluster (and thus allows them access to the SST).
  • DreeDree Contributor Inactive User Role Beginner
    Thanks Kenn!
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.