Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redis always started in insecure mode #2863

Closed
tonyespy opened this issue Nov 4, 2020 · 1 comment · Fixed by #3115
Closed

Redis always started in insecure mode #2863

tonyespy opened this issue Nov 4, 2020 · 1 comment · Fixed by #3115
Assignees
@jim-wang-intel
Labels
2-medium priority denoting issues with cross-cutting project impact bug Something isn't working security_audit Track issues that are related to CVE/CVSS/CWE auditing etc
Milestone
Ireland

Comments

@tonyespy
Copy link
Member

tonyespy commented Nov 4, 2020

The Redis startup sequence has been updated for Hanoi to be compliant with our Secret Creation and Distribution ADR. Instead of the Redis credentials being read from Vault via security-secretstore-read and written to disk, a new service security-bootstrap-redis has been introduced which reads the newly generated credentials and calls into Redis (running in insecure mode) to set the credentials. The credentials are not persisted however which means the next time the EdgeX system is started, the same sequence happens all over again, so basically every time EdgeX starts, there's a small window where Redis is running in insecure mode.

Version: v1.2.2-dev.104
@tonyespy tonyespy added the bug Something isn't working label Nov 4, 2020
@tonyespy tonyespy changed the title Redis should persist credentials vs. setting new creds each time EdgeX starts Redis always started in insecure mode Nov 4, 2020
@bnevis-i bnevis-i added security_audit Track issues that are related to CVE/CVSS/CWE auditing etc 2-medium priority denoting issues with cross-cutting project impact labels Nov 4, 2020
@bnevis-i bnevis-i added this to the Ireland milestone Nov 18, 2020
@jim-wang-intel
Copy link
Contributor

Hi Tony @tonyespy : when running in security enable mode, the redis db password has been stored into vault (See: https://github.com/edgexfoundry/edgex-go/blob/master/internal/security/secretstore/init.go#L335) as part of secretstore-setup process. Inside the secretstore-setup, in that addDBCredential function, it has that checking logic whether redis db password is already in vault or not (see https://github.com/edgexfoundry/edgex-go/blob/master/internal/security/secretstore/init.go#L411-L429). So it will re-use the stored db password from vault when EdgeX restart next time. Could you please elaborate what this issue more on what you were trying to resolve for?

jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Feb 2, 2021
@jim-wang-intel
feat(security): Fix redis start issue edgexfoundry#2863
6f35d1e 
Now redis starts with conf file with credentials and thus insecure gap is removed

- Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command
- Remove security-bootstrap-redis binary build
- Redis db server starts with config file with credentials
- Update snaps

Closes: edgexfoundry#2863

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
@jim-wang-intel jim-wang-intel mentioned this issue Feb 3, 2021
Merged
3 tasks
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Feb 3, 2021
@jim-wang-intel
feat(security): Fix redis start issue edgexfoundry#2863
81e9efd 
Now redis starts with conf file with credentials and thus insecure gap is removed

- Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command
- Remove security-bootstrap-redis binary build
- Redis db server starts with config file with credentials
- Update snaps

Closes: edgexfoundry#2863

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Feb 4, 2021
@jim-wang-intel
feat(security): Fix redis start issue edgexfoundry#2863
bfc1fc6 
Now redis starts with conf file with credentials and thus insecure gap is removed

- Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command
- Remove security-bootstrap-redis binary build
- Redis db server starts with config file with credentials
- Update snaps

Closes: edgexfoundry#2863

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Feb 6, 2021
@jim-wang-intel
feat(security): Fix redis start issue edgexfoundry#2863
b973ef5 
Now redis starts with conf file with credentials and thus insecure gap is removed

- Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command
- Remove security-bootstrap-redis binary build
- Redis db server starts with config file with credentials
- Update snaps

Closes: edgexfoundry#2863

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
@jim-wang-intel jim-wang-intel mentioned this issue Feb 8, 2021
Merged
4 tasks
jim-wang-intel added a commit to jim-wang-intel/edgex-go that referenced this issue Feb 8, 2021
@jim-wang-intel
feat(security): Fix redis start issue edgexfoundry#2863
f029df6 
Now redis starts with conf file with credentials and thus insecure gap is removed

- Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command
- Remove security-bootstrap-redis binary build
- Redis db server starts with config file with credentials
- Update snaps

Closes: edgexfoundry#2863

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
jim-wang-intel added a commit that referenced this issue Feb 8, 2021
@jim-wang-intel
feat(security): Fix redis start issue from #2863 (#3115)
cb6997b 
* feat(security): Fix redis start issue #2863

Now redis starts with conf file with credentials and thus insecure gap is removed

- Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command
- Remove security-bootstrap-redis binary build
- Redis db server starts with config file with credentials
- Update snaps

Closes: #2863

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>

Change the redis.conf file permission to 0600
Make chown for redis' conf to redis:redis 999:1000 as part of redis' uid and gid creation
Add doc's url and detailed explanation for redis' conf EdgeX is currently using

Remove the change ownership from golang code and only do the change ownership inside the docker's entrypoint script because
snap doesn't work with chow to a non-existing userId.

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>

* feat(snap): add patch contnets

 patch -p1 < ./0001-fix-snap-update-the-snap-optimization-patch.patch.txt
patching file snap/local/patches/0001-optimize-build-for-pipeline-CI-check.patch

Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
@andresrinivasan andresrinivasan mentioned this issue Feb 9, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jim-wang-intel jim-wang-intel

Labels
2-medium priority denoting issues with cross-cutting project impact bug Something isn't working security_audit Track issues that are related to CVE/CVSS/CWE auditing etc
Projects
None yet
Milestone
Ireland
Development

Successfully merging a pull request may close this issue.

feat(security): Fix redis start issue from #2863 jim-wang-intel/edgex-go
3 participants
@tonyespy @bnevis-i @jim-wang-intel