redpanda icon indicating copy to clipboard operation
redpanda copied to clipboard
verified publisher icon redpanda-data

Provide SCRAM pass to pandaproxy client securely

Open dimitriscruz opened this issue 4 years ago • 5 comments

Currently the SCRAM password is added to the redpanda.yaml as free text:

# The REST API client
pandaproxy_client:
...
  # Password for SCRAM authentication mechanisms
  scram_password: mysecretpass

It would be safer, (perhaps as an alternative) to the actual password value to provide either a file path or an environmental variable containing the password. Either of which could be injected, e.g., by k8s as a Secret resource, during creation.

Note: an advantage of the file path approach over the environmental variable in the context of k8s is that "secrets" (in this case the scram password) can change without restarting the process, whereas env. variables need a restart.

dimitriscruz avatar May 07 '21 05:05 dimitriscruz

seems reasonable. we could add scram_password_file or something. does k8s have any special formatting in the secret file or does it contain only the password?

dotnwat avatar May 07 '21 05:05 dotnwat

we could add scram_password_file or something.

makes sense

does k8s have any special formatting in the secret file or does it contain only the password?

just the password. For example, if you create this secret:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm <-- base64 (optional)

You can mount it in the pod under /etc/foo and cat:

kubectl exec mypod -- cat /etc/foo/password
1f2d1e2e67df

dimitriscruz avatar May 07 '21 05:05 dimitriscruz

we could add scram_password_file or something.

makes sense

does k8s have any special formatting in the secret file or does it contain only the password?

just the password. For example, if you create this secret:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  password: MWYyZDFlMmU2N2Rm <-- base64 (optional)

You can mount it in the pod under /etc/foo and cat:

kubectl exec mypod -- cat /etc/foo/password
1f2d1e2e67df

excellent. that should make things very easy. I should have time this week to do this. I can also point you at a few snippets of seastar code that with a bit of modification you could probably drop into the startup process to get it working.

dotnwat avatar May 12 '21 04:05 dotnwat

https://github.com/vectorizedio/redpanda/blob/dev/src/v/utils/file_io.h#L27

dotnwat avatar May 12 '21 04:05 dotnwat

configuration{.h,cc} for adding the file name option. then application.cc (probably something like hydrate_config) for reading up the password from the secret file.

dotnwat avatar May 12 '21 04:05 dotnwat

Resolved by https://github.com/redpanda-data/core-internal/issues/35. I think this issue can be closed @jcsp ?

mattschumpert avatar Nov 23 '22 16:11 mattschumpert

Documentation for the new feature is here: https://docs.redpanda.com/docs/platform/security/authentication/#configure-schema-registry-and-http-proxy-to-connect-to-redpanda-with-sasl

mattschumpert avatar Nov 23 '22 16:11 mattschumpert