Riak2.0セキュリティ機能の強化内容について調査しました
みんなでやるRiak Advent Calendar 2013 クリスマスイブのネタとして投稿します。
次期バージョンのRiak(Riak2.x)では、CRDT、Strong Consistency、Yokozuna Searchなど、様々な機能強化が予定されています。今回の投稿では、Riak2.0で拡張が予定されているセキュリティ機能についてまとめます。
情報源
- Add Security to Riak · Issue #355 · basho/riak · GitHub
- security機能 開発の様子
- Riak HTTP security session example · GitHub
- 具体的な使い方の例
出来ること
分かったこと
- まだ色々と実装が完了していない
- riak-admin security delete-source が無いなど
使い方の例
securityの設定方法は、riak-adminコマンドのsecond level command に "security"が増えたので、こちらを用いることで設定できます。
- ユーザ名'testuser'を追加し、全ユーザからの127.0.0.1/32 からのアクセスを許可する
$ dev/dev1/bin/riak-admin security add-user testuser $ dev/dev1/bin/riak-admin security add-source all 127.0.0.1/32 trust
- ユーザ名'sean'を追加し、パスワード'justopenasocket'でのアクセスを許可する
$ dev/dev1/bin/riak-admin security add-user sean password=justopenasocket $ dev/dev1/bin/riak-admin security add-source sean 0.0.0.0/0 password
- PAM認証を許可する
$ dev/dev1/bin/riak-admin security add-source all 192.168.1.0/24 trust $ dev/dev1/bin/riak-admin security add-source all 0.0.0.0/0 pam service=riak
- Usage of security second level command
sogabe@sherco:~/src-github/riak$ dev/dev1/bin/riak-admin security
Usage: riak-admin security <command>
The following commands modify users and security ACLs for Riak:
add-user <username> [options]
add-source all|<users> <CIDR> <source> [options]
grant <permissions> ON ANY|<type> [bucket] TO <users>
revoke <permissions> ON ANY|<type> [bucket] FROM <users>
print-users
print-sources
print-user <user>
- ユーザ'testuser'に バケット名'mybucket'に対して get のアクセス権を与える
$ dev/dev1/bin/riak-admin security grant riak_kv.get ON mybucket TO testuser
- ユーザ'sean'にバケット名'mybucket'に対して get,put のアクセス権を与える
$ dev/dev1/bin/riak-admin security grant riak_kv.get,riak_kv.put ON mybucket TO sean
$ dev/dev1/bin/riak-admin security grant riak_kv.put ON myapp_* to testuser (現時点では未だ動作せず)
- security 設定情報の一覧を表示する(print)
sogabe@sherco:~/src-github/riak$ dev/dev1/bin/riak-admin security print-users
+--------------------+--------------------+----------------------------------------+------------------------------+
| username | roles | password | options |
+--------------------+--------------------+----------------------------------------+------------------------------+
| sean | |c57e004ee67d6260863b1050e58d93405f5900fd| [] |
| testuser | | | [] |
+--------------------+--------------------+----------------------------------------+------------------------------+
sogabe@sherco:~/src-github/riak$ dev/dev1/bin/riak-admin security print-sources
+--------------------+--------------+----------+--------------------+
| users | cidr | source | options |
+--------------------+--------------+----------+--------------------+
| all | 127.0.0.1/32 | trust | [] |
| all |192.168.1.0/24| trust | [] |
| sean | 0.0.0.0/0 | password | [] |
| all | 0.0.0.0/0 | pam |[{"service","riak"}]|
+--------------------+--------------+----------+--------------------+
- security ユーザ毎の設定情報を表示する(print-user)
sogabe@sherco:~/src-github/riak$ dev/dev1/bin/riak-admin security print-user testuser Inherited permissions +--------------------+----------+----------+----------------------------------------+ | role | type | bucket | grants | +--------------------+----------+----------+----------------------------------------+ Applied permissions +----------+----------+----------------------------------------+ | type | bucket | grants | +----------+----------+----------------------------------------+ | mybucket | * | riak_kv.get | +----------+----------+----------------------------------------+ sogabe@sherco:~/src-github/riak$ dev/dev1/bin/riak-admin security print-user sean Inherited permissions +--------------------+----------+----------+----------------------------------------+ | role | type | bucket | grants | +--------------------+----------+----------+----------------------------------------+ Applied permissions +----------+----------+----------------------------------------+ | type | bucket | grants | +----------+----------+----------------------------------------+ | mybucket | * | riak_kv.put, riak_kv.get | +----------+----------+----------------------------------------+
試してみる
2013年12月現在、riak2.0は開発中なので github の developブランチを用いてテストをします。
riakのソースコードをダウンロードし、ビルドする
$ git clone https://github.com/basho/riak $ cd riak $ make stagedevrel
riak securityの設定
2013年12月現在、developブランチでは security機能を有効にするためのコードが入っていないので、手動でコードを修正してテストをします。
下記の例では、riak.conf に "security = on"と記述することでsecurity機能を有効にできるようになります。
尚、riak2.0からはコンフィグファイルが Erlang由来のものではなく cuttlefish と呼ばれるパーサを使うことになったので、下記のように cuttlefish 用の schemaファイルに必要な設定を追加します。
$ vi deps/riak_core/priv/riak_core.schema
(下記を追加)
%%
%% XXX security
%%
{mapping, "security", "riak_core.security", [
{default, off},
{datatype, {enum, [on, off]}}
]}.
{ translation,
"riak_core.security",
fun(Conf) ->
Setting = cuttlefish:conf_get("security", Conf),
case Setting of
on -> true;
off -> false;
_Default -> false
end
end
}.
$ make stagedevrel
(ビルドする)
$ vi dev/dev1/etc/riak.conf
...
(SSLの cert, key を設定する)
## Default cert location for https can be overridden
## with the ssl config variable, for example:
ssl.certfile = ./etc/cert.pem
## Default key location for https can be overridden
## with the ssl config variable, for example:
ssl.keyfile = ./etc/key.pem
...
(https を有効にして、代わりにhttpを無効にする)
listener.https.internal = 127.0.0.1:10018
...
#listener.http.internal = 127.0.0.1:10018
...
(セキュリティ機能を有効にする)
security = on
$ ulimit -n 4096
$ dev/dev1/bin/riak start
curlを用いた Authentication / Authorizationのテスト
$ curl -k -i https://localhost:10018/riak/test/doc
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Riak"
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:08:15 GMT
Content-Type: text/html
Content-Length: 159
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Riak"
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:08:15 GMT
Content-Type: text/html
Content-Length: 159
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>
$ dev/dev1/bin/riak-admin security add-user andrew
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Riak"
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:09:51 GMT
Content-Type: text/html
Content-Length: 159
<html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1>Unauthorized<p><hr><address>mochiweb+webmachine web server</address></body></html>
$ dev/dev1/bin/riak-admin security add-source andrew 127.0.0.1/32 trust
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc
HTTP/1.1 403 Forbidden
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:11:03 GMT
Content-Type: text/plain
Content-Length: 154
Permission denied: User 'andrew' does not have'riak_kv.get' on {<<"default">>,
<<"test">>}
$ dev/dev1/bin/riak-admin security grant riak_kv.get ON default test TO andrew
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc
HTTP/1.1 404 Object Not Found
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:12:17 GMT
Content-Type: text/plain
Content-Length: 10
not found
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test2/doc
HTTP/1.1 403 Forbidden
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:13:04 GMT
Content-Type: text/plain
Content-Length: 155
Permission denied: User 'andrew' does not have'riak_kv.get' on {<<"default">>,
<<"test2">>}
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc -d "hello world"
HTTP/1.1 403 Forbidden
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:13:54 GMT
Content-Type: text/plain
Content-Length: 154
Permission denied: User 'andrew' does not have'riak_kv.put' on {<<"default">>,
<<"test">>}
$ dev/dev1/bin/riak-admin security grant riak_kv.put ON default test TO andrew
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc -d "hello world"
HTTP/1.1 204 No Content
Vary: Accept-Encoding
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:14:56 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test2/doc -d "hello world"
HTTP/1.1 403 Forbidden
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:15:49 GMT
Content-Type: text/plain
Content-Length: 155
Permission denied: User 'andrew' does not have'riak_kv.put' on {<<"default">>,
<<"test2">>}
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc
HTTP/1.1 200 OK
X-Riak-Vclock: a85hYGBgzGDKBVIcR4M2cgetf/4qgymRMY+V4UOpyhm+LAA=
Vary: Accept-Encoding
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Link: </riak/test>; rel="up"
Last-Modified: Tue, 17 Dec 2013 07:14:56 GMT
ETag: "59NlprW7hUCSUVKznH6VKM"
Date: Tue, 17 Dec 2013 07:16:29 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
hello world
$ dev/dev1/bin/riak-admin security revoke riak_kv.get,riak_kv.put ON default test FROM andrew
$ curl -k -i --user andrew:foo https://localhost:10018/riak/test/doc
HTTP/1.1 403 Forbidden
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:19:20 GMT
Content-Type: text/plain
Content-Length: 154
Permission denied: User 'andrew' does not have'riak_kv.get' on {<<"default">>,
<<"test">>}
$ curl -k -i --user andrew:foo -XPUT https://localhost:10018/riak/test/doc -d "hello world"
HTTP/1.1 403 Forbidden
Server: MochiWeb/1.1 WebMachine/1.10.5 (jokes are better explained)
Date: Tue, 17 Dec 2013 07:18:52 GMT
Content-Type: text/plain
Content-Length: 154
Permission denied: User 'andrew' does not have'riak_kv.put' on {<<"default">>,
<<"test">>}
