|
| 1 | +<!-- |
| 2 | +http://www.apache.org/licenses/LICENSE-2.0.txt |
| 3 | +
|
| 4 | +
|
| 5 | +Copyright 2017 Intel Corporation |
| 6 | +
|
| 7 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | +you may not use this file except in compliance with the License. |
| 9 | +You may obtain a copy of the License at |
| 10 | +
|
| 11 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | +
|
| 13 | +Unless required by applicable law or agreed to in writing, software |
| 14 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | +See the License for the specific language governing permissions and |
| 17 | +limitations under the License. |
| 18 | +--> |
| 19 | + |
| 20 | +# Secure Plugin Communication |
| 21 | + |
| 22 | +Snap communicates with plugins over gRPC protocol, which in general transfers data in plaintext. |
| 23 | +Snap allows securing communication with plugins by opening TLS channels and using certificates to authenticate plugins and framework. |
| 24 | + |
| 25 | +## Usage |
| 26 | + |
| 27 | +This walkthrough assumes you have downloaded a Snap release as described in [Getting Started](../README.md#getting-started). |
| 28 | + |
| 29 | +### Shortest guide |
| 30 | + |
| 31 | +Assuming all the test files are available, the following steps will result in secure plugin communication: |
| 32 | + |
| 33 | +``` |
| 34 | +snapteld --log-level 1 --plugin-trust 0 --tls-cert /tmp/snaptest-cli.crt --tls-key /tmp/snaptest-cli.key --ca-cert-paths /tmp/snaptest-ca.crt |
| 35 | +## (in another terminal) |
| 36 | +## Load each plugin |
| 37 | +snaptel plugin load --plugin-cert /tmp/snaptest-srv.crt --plugin-key /tmp/snaptest-srv.key --plugin-ca-certs /tmp/snaptest-ca.crt plugins/snap-plugin-collector-rand |
| 38 | +## Start a sample task |
| 39 | +snaptel task create -t sample-task.json |
| 40 | +``` |
| 41 | + |
| 42 | +### Detailed preparation |
| 43 | + |
| 44 | +Starting secure communication requires following steps: |
| 45 | +1. Obtain TLS certificate and private key for framework. |
| 46 | + * Please note that this certificate should allow usage for TLS web client authentication (as specified in RFC 3280) |
| 47 | +1. Obtain TLS certificate and private key for each plugin or group of plugins. |
| 48 | + * Please note that this certificate should allow usage for TLS web server authentication (as specified in RFC 3280) |
| 49 | +1. Obtain and locate the CA certificates that are necessary to authenticate framework and plugin certificates. |
| 50 | + |
| 51 | +Process of acquiring a TLS certificate is a complex one. Every organization has its specific rules on security, thus the details are not given here. |
| 52 | + |
| 53 | +We do provide a short guide on obtaining self-signed certificates that may be used for tests outside production environment; see [Obtaining self-signed TLS certificates for tests](#obtaining-self-signed-tls-certificates-for-tests). |
| 54 | + |
| 55 | +### Enabling secure communication |
| 56 | + |
| 57 | +Secure communication is enabled by passing the required paths to programs: `snapteld`, and plugin (via `snaptel`). The minimum paths necessary are: |
| 58 | +* for `snapteld`: `--tls-cert`, `--tls-key`, |
| 59 | +* for plugins (`snaptel`): `--plugin-cert`, `--plugin-key`. |
| 60 | + |
| 61 | +The required paths are sufficient and necessary to enable TLS. Daemon (`snapteld`) and plugins (via `snaptel`) will refuse to start if certificate or key file argument is missing. |
| 62 | + |
| 63 | +### Using system-installed CA certificates |
| 64 | + |
| 65 | +Framework and plugins need CA certificates to validate each other's certificate. The CA certificates may be obtained in two ways: |
| 66 | +* by passing a list of CA certificate paths directly as a parameter, e.g.: `--ca-cert-paths=/tmp/small-setup-ca.crt:/tmp/medium-setup-ca.crt:/tmp/ca-certs/`, `--plugin-ca-certs` |
| 67 | + * plugin as well as framework will examine each path in the list and either load a file directly or list directory contents and load the enumerated files (e.g.: the files in `/tmp/ca-certs/` folder) |
| 68 | +* by relying on default CA certificate discovery mechanism |
| 69 | + * plugin and framework will by default load certificates from system (if no paths were given as parameter). Each OS has its own specific locations, e.g.: `/etc/ssl/certs` on Ubuntu. This mechanism is provided by Go language, and is only available on selected OSes. |
| 70 | + System CA certificates may also be loaded explicitly by listing system locations explicitly, e.g.: `--ca-cert-paths /etc/ssl/certs:/tmp/snaptest-ca.crt` |
| 71 | + |
| 72 | +## More information |
| 73 | + |
| 74 | +### Exclusive security |
| 75 | + |
| 76 | +It's important to note that once secure plugin communication is enabled in framework, only secure connections may be established. |
| 77 | + |
| 78 | +In other words: attempting to load insecure plugin in framework will result in an error. |
| 79 | + |
| 80 | +### Relation to other functionalities |
| 81 | + |
| 82 | +Several modes of operation do not fully support secure communication: |
| 83 | +* distributed workflow is not covered by secure communication, |
| 84 | +* tribe doesn't support secure communication; `snapteld` will refuse to start in tribe mode if configured with secure communication, |
| 85 | +* plugin and task autodiscovery doesn't support secure communication; `snapteld` will refuse to start with autodiscovery path and secure communication enabled. |
| 86 | + |
| 87 | +### Obtaining self-signed TLS certificates for tests |
| 88 | + |
| 89 | +The following intstructions will result in TLS certificate files. These files may be used for manual tests. |
| 90 | +1. Install tool [certstrap](https://github.com/square/certstrap) for generating test certificates. Further steps will assume that `certstrap` is available under `$PATH` location. |
| 91 | +1. Generate root CA certificate: |
| 92 | + ``` |
| 93 | + certstrap init --cn "snaptest-ca" --o "snaptest" --ou "ca" --key-bits 2048 --years 1 --passphrase ' |
| 94 | + ``` |
| 95 | +1. **optional** Install root CA certificate in the system: |
| 96 | + ``` |
| 97 | + sudo cp out/snaptest-ca.crt /usr/local/share/ca-certificates/; sudo update-ca-certificates --verbose --fresh |
| 98 | + ``` |
| 99 | +1. Generate server certificate and key to use with plugins: |
| 100 | + ``` |
| 101 | + certstrap request-cert --cn "snaptest-srv" --ip "127.0.0.1" --domain "localhost" --passphrase '' --key-bits 2048 --o "snaptest" --ou "server" |
| 102 | + certstrap sign "snaptest-srv" --CA "snaptest-ca" --passphrase '' --years 1 |
| 103 | + ``` |
| 104 | +1. Generate client certificate and key to use with `snapteld`: |
| 105 | + ``` |
| 106 | + certstrap request-cert --cn "snaptest-cli" --ip "127.0.0.1" --domain "localhost" --passphrase '' --key-bits 2048 --o "snaptest" --ou "client" |
| 107 | + certstrap sign "snaptest-cli" --CA "snaptest-ca" --passphrase '' --years 1 |
| 108 | + ``` |
| 109 | +1. Copy server and client certificates into common location, e.g.: `/tmp`: |
| 110 | + ``` |
| 111 | + for unit in srv cli; do for fname in crt key; do cp out/snaptest-$unit.$fname /tmp; done; done |
| 112 | + ``` |
| 113 | +The following files are relevant for running the tests: |
| 114 | +* `/tmp/snaptest-cli.crt`, `/tmp/snaptest-cli.key` - these are the certificate and private key files for `snapteld`, |
| 115 | +* `/tmp/snaptest-srv.crt`, `/tmp/snaptest-srv.key` - these are the certificate and private key files for plugin, |
| 116 | +* `/tmp/snaptest-ca.crt` - this is the CA certificate that should be used to authenticate framework and plugins. |
| 117 | +
|
| 118 | +## More information |
| 119 | +
|
| 120 | +* [SNAPTELD_CONFIGURATION.md](SNAPTELD_CONFIGURATION.md) |
| 121 | +* [SNAPTELD](SNAPTELD.md) |
| 122 | +* [SNAPTELD](SNAPTELD.md) |
| 123 | +* [TRIBE.md](TRIBE.md) |
| 124 | +* [DISTRIBUTED_WORKFLOW_ARCHITECTURE](DISTRIBUTED_WORKFLOW_ARCHITECTURE.md) |
0 commit comments