[
https://issues.apache.org/jira/browse/MESOS-9774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16876306#comment-16876306
]
Benno Evers commented on MESOS-9774:
------------------------------------
Design Doc:
https://docs.google.com/document/d/1O3q7UOXVGNw81xOkRNFPzrtbC__D-N_D_mwV6D--y0k/edit
> Design client side SSL certificate verification in Libprocess.
> --------------------------------------------------------------
>
> Key: MESOS-9774
> URL: https://issues.apache.org/jira/browse/MESOS-9774
> Project: Mesos
> Issue Type: Task
> Components: libprocess
> Reporter: Greg Mann
> Assignee: Alexander Rukletsov
> Priority: Major
> Labels: foundations, mesosphere, security, ssl
>
> Notes from an offline discussion with [~vinodkone], [~tillt], [~jgehrcke],
> [~CarlDellar].
> * Authentication can happen at the transport and/or at the application layer.
> There is no real benefit in doing it at both layers.
> * Authentication at the application layer allows for subsequent authorization.
> * We would like to have an option to mutually authenticate all components in
> a Mesos cluster, including external tooling, regardless at which layer, to
> secure communication channels.
> * Mutual authentication at the transport layer everywhere can be hard because
> some components can't or don't want to provide certificates, e.g., a Lua HTTP
> client reading master's state.
> * Theoretically, some components, e.g., Mesos masters and agents, can form an
> ensemble inside which all connections are authenticated on both sides at the
> transport layer (TLS certificate verification). Practically, it may then be
> hard to implement communication with the components outside such ensemble,
> e.g., frameworks, executors, since at least two types of connections/sockets
> should be distinguished: with and without client certificate verification
> (Libprocess can't do it now), or all the traffic between the ensemble and
> outside components should go via a proxy.
> * An alternative is to combine server side TLS certificate verification with
> the client side application layer authentication. For that to be secure, we
> need to implement client authentication for Mesos components, e.g., master
> with agent, replica with other replica (see MESOS-9638). Plus relax
> certificate verification option in Libprocess for outgoing connections only.
> For non-streaming connections a secret connection identifier should be passed
> by the client to prove they are the entity that has been previously
> authenticated.
> * Whatever path we choose, truly secure communication channels will become
> when separate certificates for Mesos components are used, either signed by a
> different root CA or using a specific CN/SAN, which can't be obtained by
> everyone.
> What needs to be done:
> * Introduce or adjust the Libprocess flag for verifying certificates for
> outgoing connections only.
> * Verify how replicas in the master's replicated log discover other replicas
> and what harm a rogue replica can do if it tries to join the quorum. Estimate
> whether master's replicated log can use its own copy of Libprocess.
> * Implement Mesos master authentication with Mesos agents, MESOS-9638.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
