Open hwware opened 6 months ago
I would be for implementing something like this. I know that practically every group or company that has a devops team that "manages" Redis would have liked this type of feature, so seems reasonable to add to Valkey.
Furthermore, Some company regulatory frameworks or industry standards may explicitly require the use of trusted network configurations as part of compliance measures. Implementing this feature ensures adherence to such requirements, adding an extra level of assurance. A trusted network feature acts as a fail-safe mechanism, ensuring that even if ACLs are misconfigured, access is still restricted to trusted networks, minimizing the impact of misconfigurations.
We know much about this specifically?
My apologies for late reply, I retract the cliam regarding the standards and frameworks. Thanks!
Sounds good to me. Can we have a more exact suggestion, like config name and value, before we make a decision?
+1. I agree this is a very valid "management" problem to solve.
@hwware I think we should also consider the impact of NAT when it comes to the detailed design.
Once we have the mechanism to tell "trusted" clients based on their IPs, I think we should also consider evaluating some server polices differently, such as maxclients
. There have been cases where the client applications exhausted maxclients
leaving no connections to the admin.
Perhaps a client coming from a "trusted" location should be allowed to connect at all times?
If the management-port https://github.com/valkey-io/valkey/issues/497 were available we wouldn't need to worry about this.
Perhaps a client coming from a "trusted" location should be allowed to connect at all times?
What does this mean? I'm not sure what it means to be able to connect at all times. Are you suggesting we have a separate thread serving it, or just that it doesn't need to provide authentication, or that it will be accepted even during a command?
Sorry, that is quite vague. It was intended to be in the context of "max clients has been reached".
Perhaps it should be possible to configure it so that a client coming from inside a trusted network should be allowed to connect even though max-clients has been reached.
Sounds good to me. Can we have a more exact suggestion, like config name and value, before we make a decision?
trusted-addresses
". clients from the list of IP addresses will be trusted.Syntax:trusted-addresses <IP> <IP> <IP> <IP> ...
ex: trusted-addresses 10.0.0.1 10.0.0.5 12.0.0.5
c->flags & CLIENT_UNIX_SOCKET
" is true then its trusted otherwise would be considered as un-trusted.hostMachineNetMask/host_machine_netmask , hostMachineIp/host_machine_ip
).@hwware I like this idea. But often in small setups, a web server and a valkey server are located on the same machine. Then it's not perfect that clients on localhost are automatically trusted and can get passed the maxclients config.
How about another configuration property: trust_localhost
? The default would be false.
Or perhaps something stronger, allow_clients_from_trusted_sources
, with a default of false, so that this is not a breaking change. Then, by default, the system acts exactly as it does today.
Or something more complex, such as multiple configuration properties, so that you can specify exactly which sources are trusted (e.g., trust_localhost, trust_local_subnet, and trust_unix_socket).
trusted-addresses 10.0.0.1 10.0.0.5 12.0.0.5
I sort of like the idea of this, but allow this to be more flexible. Maybe support: trusted-sources 10.0.0.5 10.0.0.* unix
, to support either a specific IP, a subnet sdk, or a unix domain socket. I would prefer a single configuration option, but we could do multiple to. I suppose overlap with the bind addresses, but also include unix as an option.
trusted-addresses 10.0.0.1 10.0.0.5 12.0.0.5
I sort of like the idea of this, but allow this to be more flexible. Maybe support:
trusted-sources 10.0.0.5 10.0.0.* unix
, to support either a specific IP, a subnet sdk, or a unix domain socket. I would prefer a single configuration option, but we could do multiple to. I suppose overlap with the bind addresses, but also include unix as an option.
I would like to implement the 1st step: the config parameter only allow to be configured as ip address list because generally, clients do not connect to the server directly, they should connect through some proxy machines. The ip addresses are limited,
Then 2nd step, I prefer the add more parameter options, the format could be 1.2.3.4/24 or 1.2.3.4 255.255.255.0 unix instead of 10.0.0.*, how do you think? Thanks
@hwware I like this idea. But often in small setups, a web server and a valkey server are located on the same machine. Then it's not perfect that clients on localhost are automatically trusted and can get passed the maxclients config.
This feature, trusted or untrusted ip address is from server view, even web server or administration server and valkey server are in the same physical machine, valkey server will still check the connected ip address. Most cases it should be configured by system adminstrator. if the web-server is untrusted and on the same physical machine as the Valkey-server and the administrator needs to be a trusted client, then the address of the host must not be in the list of trusted IP addresses, and the administrator need to connect from a trusted address.
Most cases it should be configured by system adminstrator. if the web-server is untrusted and on the same physical machine as the Valkey-server and the administrator needs to be a trusted client, then the address of the host must not be in the list of trusted IP addresses, and the administrator need to connect from a trusted address.
Most cases, but not always. We need to be backward compatible. If we give any superpowers to trusted clients, then we need to make sure that no existing running application is trusted automatically. The default needs to be no trusted IP at all.
If someone runs a webserver from localhost and also connect as admin from localhost, then we can't disable maxclients
for both of them based on IP. In this setup, it's better that none of them is trusted and that admin sometimes can't connect because maxclients
is reached, than the possibility that the webserver can make infinitely many connections.
I think there is a misunderstanding here. As I read "then the address of the host must not be in the list of trusted IP addresses, and the administrator need to connect from a trusted address", it means that the administrator cannot connect from the same host that is running both the web-server and the valkey-server because that host does not appear in the list of trusted addresses.
Thus, the default is backward compatible, which is to say, nobody is trusted.
Thus, the default is backward compatible, which is to say, nobody is trusted.
@daniel-house OK, that's good. I was just worried by @hwware's comment:
3. Other clients to be considered as trusted are connected from local host and client connected from same subnet
I think we can't even consider localhost as trusted by default.
so we would have a different config trusted-maxclients
to control the number of connections?
@dmitrypol A trusted client basically means an admin client or a control plane client. I don't think we need to limit the number of such clients. The idea is that only clients from internal IP addresses should be configured as trusted clients. It should not be open to the internet, not even to a web application which is using valkey.
I see the risk of users misconfiguring this. They would open up a vulnerability. We need to choose good naming for this and be very clear in documentation and comments in the config file. is there anything else we can do to limit the risk of misconfig?
agree on the use case of trusted client (control plan / admin / devops) which is separate from the application using Redis cache. IP allowlist is one way to control access by trusted client.
But a badly implemented monitoring system using trusted client could use up too many connections and then conflict with the application connectivity.
Another option is to have a special admin user (in addition to default user) with separate connection limit for it. Ops engineers can implement ACL for the admin user (there could be recommend settings).
Here are a few possibilities to reduce risk.
It would be reasonable to apply ACL to trusted clients in the same way as to all other clients.
We could require that when a trusted client authenticates, the user must have permission to issue admin commands. If that isn't secure enough, we could add a new ACL category such as allowed-on-trusted-client
.
We could forbid the default user from trusted clients.
We could forbid all users without passwords from trusted clients.
We could forbid the existence of a user that can log in via both trusted and untrusted IP addresses. This might be as simple as assigning each user a trusted attribute, true or false.
Adding a max-client attribute to each user via the ACL looks good to me. That would help devops protect themselves from their own errors. That would be in addition to the existing max-client value that would sum over all the untrusted clients.
so we would have a different config
trusted-maxclients
to control the number of connections?
No, there is no separated config for max clients. This feature goal is to check every connection to the server. Admin or Ops engineer should take some config problems if this feature is enable.
The problem/use-case that the feature addresses
ACL provides good access control based on the rules and also restrict the users for certain commands depending on their role, we could say offers robust access control mechanisms. In most of the cases administrators share default password within themselves and there is chance connection can be made from outside of the server's deployment network or they can create different user and connect from internet, likewise human error in ACL configurations can inadvertently open up security issues, like we can think of.
Motivation
Additional information
Alternatives you've considered