Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Riak Security Docs review #183

Open
Bob-The-Marauder opened this issue Mar 3, 2023 · 0 comments
Open

Riak Security Docs review #183

Bob-The-Marauder opened this issue Mar 3, 2023 · 0 comments

Comments

@Bob-The-Marauder
Copy link

  • https://www.tiot.jp/riak-docs/riak/kv/3.0.11/using/security/basics/#certificate-configuration only has text for app.config even though riak.conf also has a different format.
  • Despite riak.conf having default values, cuttlefish does not set them up unless you actually specify them
  • In KV 3.0.15, riak-admin no longer exists, only riak admin
  • Although seemingly obvious, security groups need to be added before you put a user in a group i.e. if you try to assign a user to a non-existent group, it fails silently rather than creating a group with no permissions and adding your user to it.
  • However, if you add a group to a non-existent group for cascading permissions, you actually get an error message saying the non-existent group you tried to add it to does not exist.
  • Unexpected error:
Configured ciphers

:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-SHA:AECDH-AES128-SHA:SRP-AES-128-CBC-SHA:ADH-AES128-SHA256:ADH-AES128-SHA:AES128-SHA256:AES128-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-SHA256:AECDH-AES256-SHA:SRP-AES-256-CBC-SHA:ADH-AES256-SHA256:ADH-AES256-SHA:AES256-SHA256:AES256-SHA:RC4-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ADH-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ADH-CAMELLIA128-SHA:CAMELLIA128-SHA

RPC to '[email protected]' failed: {'EXIT',
                                 {function_clause,
                                  [{ssl_cipher_format,suite_bin_to_map,
                                    [#{cipher => aes_128_gcm,
                                       key_exchange => dhe_rsa,mac => aead,
                                       prf => sha256}],
                                    [{file,"ssl_cipher_format.erl"},
                                     {line,198}]},
                                   {riak_core_ssl_util,openssl_suite_name,1,
                                    [{file,
                                      "/root/riak/rel/pkg/out/BUILD/riak-3.0.15-OTP22.3/_build/default/lib/riak_core/src/riak_core_ssl_util.erl"},
                                     {line,56}]},
                                   {riak_core_ssl_util,
                                    '-print_ciphers/1-lc$^0/1-0-',1,
                                    [{file,
                                      "/root/riak/rel/pkg/out/BUILD/riak-3.0.15-OTP22.3/_build/default/lib/riak_core/src/riak_core_ssl_util.erl"},
                                     {line,356}]},
                                   {riak_core_ssl_util,print_ciphers,1,
                                    [{file,
                                      "/root/riak/rel/pkg/out/BUILD/riak-3.0.15-OTP22.3/_build/default/lib/riak_core/src/riak_core_ssl_util.erl"},
                                     {line,356}]},
                                   {riak_core_security,print_ciphers,0,
                                    [{file,
                                      "/root/riak/rel/pkg/out/BUILD/riak-3.0.15-OTP22.3/_build/default/lib/riak_core/src/riak_core_security.erl"},
                                     {line,789}]},
                                   {rpc,'-handle_call_call/6-fun-0-',5,
                                    [{file,"rpc.erl"},{line,197}]}]}}
  • Riak security seems to work fine though:
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>[root@localhost ~]#
[root@localhost ~]# curl -u riakuser https://127.0.0.1:8098/types/default/buckets/test/keys/data/
Enter host password for user 'riakuser':
hello
[root@localhost ~]# curl -XDELETE -u riakuser https://127.0.0.1:8098/types/default/buckets/test/keys/data/
Enter host password for user 'riakuser':
Permission denied: User 'riakuser' does not have 'riak_kv.delete' on default/test
  • Although the docs tell you that you can specify sources with https://www.tiot.jp/riak-docs/riak/kv/3.0.11/using/security/basics/#managing-sources it doesn't tell you that it's required to function. In my case I used riak admin security add-source all 127.0.0.1/32 trust and everything worked fine after that. Previously, it would not give me access with or without a valid user
  • Although a curl example on how to call riak with security enabled is given in https://www.tiot.jp/riak-docs/riak/kv/3.0.11/using/security/managing-sources/ which is a linked document, there is no example of this in the main document. Examples would be useful here. There are no protocol buffer/riak client examples at all on how to use this.
  • For reference, I was using Riak KV 3.0.15 on CentOS8 for this test with a bitcask backend
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Bob-The-Marauder