Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce optional subject name-based authorization #18

Open
m-ronnblom opened this issue Apr 23, 2021 · 0 comments
Open

Introduce optional subject name-based authorization #18

m-ronnblom opened this issue Apr 23, 2021 · 0 comments
Labels
enhancement New feature or request

Comments

@m-ronnblom
Copy link
Collaborator

m-ronnblom commented Apr 23, 2021
edited
Loading

The Pathfinder server-side-only concept of a user uses the client's X.509 subject key id to classify a user connected over TLS. Each subject key id is a user.

The subject key id is used for both to enforce per-user resource limits, and to maintain the server's access control rules (e.g., preventing a user to overwrite or unpublish other users' services). This is in turn an attempt to limit the damage that a malicious (or buggy) client may cause.

The subject key id-based approach requires no configuration, but has two limitations. It does not allow a client to replace its certificate. Also, it does not allow to group many Pathfinder clients originating from different systems (with different certificates and private keys) into the same Pathfinder user.

The server should support authorization based on client certificate subject name as well. "Subject name" here is (as in RFC 6125) meaning the subject field common name (CN) and/or a subject alternative name of type DNS.
@m-ronnblom m-ronnblom added the enhancement New feature or request label Apr 23, 2021
m-ronnblom added a commit that referenced this issue Nov 11, 2022
@m-ronnblom
Avoid clients erroneously keeping orphans from being removed
6c4faf2 
In case a client connects over TLS, the client's X.509 subject key
identifier (SKI) will be used as a server-side user id.

In case the client certificate changes (and the SKI with it) and the
Pathfinder protocol connection is torn down and reestablished (e.g.,
due to a network outage), the client will typically connect under a
new user id, but the same client id. The server currently accepts such
clients, but does not allow them to republish services owned by the
previous user id.

The services published under the old user id would be marked as
orphans, and will eventually be removed, allowing the new client to
republish the services.

This patch fixes a bug where such a reconnecting client would keep
orphaned services alive upon disconnecting. This in turn, with current
libpaf behavior, result in a situation where services published under
the original user id would never be removed, if the service TTL was
larger than the retry period.

For a better solution than using SKI for access control, see
issue #18.

Signed-off-by: Mattias Rönnblom <mattias.ronnblom@ericsson.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@m-ronnblom