Security
Clients and Servers connect with each other using the Choria Broker (See Architecture). Connections to the Broker must be authenticated. Choria supports 2 major methods of authenticating to the broker.
- x509 based mTLS creating a closed network where only entities with issued certificates can connect
- JWT Tokens with ed25519 signed connection Cryptographic nonce over TLS
The first is the default supported method for your typical Puppet user. The Puppet CA provides a Certificate Authority and, we have extensive integration with it.
The second is more advanced and is typically used at Large Scale in combination with the Choria Provisioner and Choria AAA Service. You would choose this if issuing 10s or 100s of thousands of certificates is prohibitively slow or if integration with enterprise Certificate Authorities prove to be onerous.
x509 Mutual TLS
Overview
This is the most typical deployment strategy and one any Puppet user is familiar with. The Puppet CA is used to issue certificates and only those holding keys and certificates signed by the Puppet CA can connect to the broker. For the Puppet user there are no settings to change, all defaults align with Puppet defaults, it just works.
This creates a private network where access is controlled, initially, at the CA level. Past that the identity found in the signed certificate is used to convey caller id or server identity and various controls are added around that. These Caller IDs are used in RBAC, auditing and more.
We also support enrolling in a Kubernetes Cert-Manager based Certificate Authority. If you run a broker using our Helm charts that broker will get its certificates at start time from Cert-Manager.
Finally, if you do not work in an environment that has Puppet you can use the Choria Provisioner to enroll new Choria Servers to the network, the Choria Provisioner supports a standard CSR based approach for enrolling nodes and can integrate with any CA that has an API. In Kubernetes the provisioner can use Cert-Manager to issue certificates for nodes not in Kubernetes.
When to choose
The majority of users should choose this method, it’s the default, has few dependencies and plays well with Puppet. It’s very secure and tested over best part of a decade.
If you have a CA that you would rather use you can configure Choria with specific paths to certificates and keys. It would then use those same as it does the Puppet ones.
If you have non-Puppet nodes, a mix of Puppet and non-Puppet nodes, if you pay licensing based on certificate counts or if you find the CA is operated in a way incompatible with mTLS (frequent CA cert rotations) then look at the other option.
If you wish to adopt Choria Streams and use it for other purposes you might find you need tighter control of access to these features, we cannot encode these permission flags in certificates so, for that, you need the JWT based model.
Benefits
- Deep Choria integration and a known model, client simply run
choria enroll
and their admin signs a certificate on the CA - No additional work needed on servers, they re-use the same certificate that Puppet uses on that node
- Easy to understand model very similar to HTTPS mTLS
- No additional dependencies other than what you already have
- Optionally supports Choria Provisioner for enrolling servers
- Optionally supports Choria AAA Server for centralising client access
- Non-Puppet CAs supported by custom configuration of paths to certificates, keys etc and deployment using non Puppet methods
- Non-Puppet CAs supported with node auto provisioning using Choria Provisioner
- Clients without individual certificates supported using Choria AAA Server
Drawbacks
- Certificate Authorities might not be available or be inherently incompatible with mTLS due to local operation modes
- Enrolling 100s of thousands of servers into a CA can be extremely costly due to licensing
- Managing expiring certificates very difficult
- Choria Broker is unaware of the type of connection and does not set strict permissions, very little access control to Streams and other features
- Certificates are per-client, meaning if many nodes are used to access the fleet you have to copy keys and certificates around
About Certnames
Given that the main intention here is to re-use Puppet CA we need to be a bit careful that someone who gets their hands on any Puppet signed certificate cannot communicate with the fleet as a client.
For this purpose we make our client certificates using a pattern like name.surname.mcollective
. The server has a configured
allowed list plugin.choria.security.certname_whitelist
that is a list of patterned certificates must validate against in order
to be considered a valid client. This way Puppet operators can spot Choria certificates easily and configure auto signing policies
accordingly.
Configuration
For the typical Puppet user there is nothing to configure, at start Choria will get the ssldir
from Puppet and use the certificates
found there.
Custom Certificates
Custom paths to certificates can be configured as below:
plugin.security.provider = file
plugin.security.file.certificate = /path/to/cert.pem
plugin.security.file.key = /path/to/key.pem
plugin.security.file.ca = /path/to/ca.pem
plugin.security.file.cache = /path/to/cache/dir # only needed for servers
Here we set the security subsystem to file
over the default puppet
and specify paths to our files.
Reference
For details about settings please consult the choria tool config
tool, here a list of related settings, and some short details
Setting | Description | Default |
---|---|---|
plugin.security.provider |
The security provider to use, defaults to, one of puppet , file , pkcs11 , certmanager |
puppet |
plugin.security.file.ca |
Path to the CA chain when provider is file |
|
plugin.security.file.certificate |
Path to the public certificate when provider is file |
|
plugin.security.file.key |
Path to the private key when provider is file |
|
plugin.security.file.cache |
Path to the certificate cache, public certificates for clients are stored there and new certificate that is different from cached one will be rejects | |
plugin.security.always_overwrite_cache |
Do not prevent changing client certs from being denied | false |
plugin.choria.security.certname_whitelist |
List of certificate patterns that are allowed to interact with servers | \.mcollective$ , \.choria$ |
plugin.choria.security.privileged_users |
List of certificate patterns that are allowed to sign requests on behalf of others | \.privileged.mcollective$ , \.privileged.choria$ |
plugin.security.cipher_suites |
List of allowed cipher suites | Go defaults |
plugin.security.ecc_curves |
List of allowed ECC Curves | Go defaults |
Organizations using JWT tokens
Overview
This method does not rely on mTLS, instead we use anonymous TLS, Signed JWT tokens and ED25519 key pairs to provide the following:
- TLS for encrypting traffic in transit
- JWT tokens signed by a trusted component to create a closed network of allowed connection, controlled by a central authority
- ED25519 key-pair to uniquely identify a connection as holding the private key used to request the JWT token
- Rich set of role based permissions and security Policies embedded in JWT token
This deployment method combines Choria Broker, Choria Provisioner and Choria AAA Service to create a Configuration Management free deployment method but can also be combined with a Puppet based deployment method to configure plugins and more.
This method can be deployed using mTLS should it be desired for added transport safety.
When to choose
This requires Choria 0.27.0 which is due for release in early 2023
If your enterprise Certificate Authority is operated in a way that makes using mTLS difficult then this is your only option.
You might find that you are adopting Choria Streams heavily but want to ensure you have tighter control over access to its features then the JWT model will allow you to set flags on a per-connection basis enabling features.
In regulated environments or ones dealing with sensitive information you might need to completely isolate clients from each other ensuring that one client cannot possibly see replies sent to other users. The JWT model ensure a private communications channel is setup that is private to every client.
If you do not use Puppet this method can enable a complete Configuration Management free deployment model.
Benefits
- Does not require a Certificate Authority with API or the ability to issue certificates on demand
- Supports environments where Certificate Authorities are rotated or rebuilt frequently - impossible to use mTLS
- Permission set controlling strict access to sub collectives, Streams features and more
- Private communication channels with isolation between clients for privacy and security of reply data
- Short-lived sessions keys and tokens, expired hourly for user connections. Special permission flag needed to extend to longer
- Easier to integrate with 3rd party SSO systems
- Removes the complex need for managing policy on individual servers by, optionally, embedding policy in JWT tokens
- Easy to integrate with enterprise single sign on and IAM
- Compatible with running the shared infrastructure on Kubernetes
- No single points of failure with all components supporting Highly Available deployment methods
- Key rotation and integration with systems like Hashicorp Vault is possible
Drawbacks
- Not supported by our Ruby clients (planned)
- Harder to configure with more dependencies
- Increased key management for long-lived services
- More centralised, meaning more dependencies on components that can fail or become unavailable
- A new model that might still have teething problems
- Not integrated with the Puppet modules - generally not needed for Puppet users
Configuration
Configuring is shown for AAA Service, Provisioner, Broker and Client. I will not show the entire setup, just the specific parts related to this kind of deployment - for full details reference the documentation for those tools.
Broker
The broker will perform validation of connections from Provisioning Servers, Provisioned Servers and Clients. In all cases the JWTs are RSA signed using a privat key, we configure the public key of all 3 components in the broker to validate the connections accordingly.
The broker will verify servers who are being provisioned using their JWT, a server must present a valid JWT signed by a known certificate and, they will then be placed into the provisioning organisation to isolate them from provisioned nodes:
This is the Public RSA key that signed the provisioner.jwt
that goes on nodes.
plugin.choria.network.provisioning.signer_cert = /etc/choria/broker/provisioning-jwt-signer.pem
While provisioning nodes the Provisioner will create a new JWT and sign that JWT using it’s signing key. The broker will only
allow servers signed by that RSA key to connect, this should be a different key-pair than the one that signed provisioning.jwt
:
plugin.choria.network.provisioning.signer_cert = /etc/choria/broker/provisioner-node-signer.pem
Clients who are authenticating get a signed JWT, the JWT should be RSA signed and the broker needs the public key:
plugin.choria.network.client_signer_cert = /etc/choria/broker/client-jwt-signer.pem
Provisioner
Provisioner takes care of on-boarding new nodes, it will verify the provisioning.jwt
and then generate a configuration
and new Server JWT that will be presented to the broker.
During provisioning the server will create a ED25519 session key, the public key will be embedded in the JWT being generated at this stage.
On connection the server will sign a NONCE that the Choria Broker will verify as being made by the corresponding private key, this way we do not use server JWTs as bearer tokens instead we fully verify that the connecting server holds the JWT but also the private key that was used to request the server JWT.
Below the important bits from the choria-provisioner.yaml
:
# public key used to sign the provisioning.jwt
jwt_verify_cert: /etc/choria-provisioner/provisioning-jwt-signer.pem
# private key used to sign server JWTs
jwt_signing_key: /etc/choria-provisioner/node-signer-key.pem
helper: /etc/choria-provisioner/helper.rb
features:
jwt: true # verifies the provisioner.jwt
ed25519: true # enabled non tls mode
In the helper.rb
we can now set some additional properties that will configure the server JWT:
reply["server_claims"] = {
# token expire after a yead
"exp" => Time.now.utc.to_i + (60*60*24*365),
"permissions" => {
# can be a Choria Submission node
"submission" => true,
# can use KV buckets and Governors
"streams" => true
}
}
reply["configuration"].merge!({
"plugin.security.server_anon_tls" => "1",
# other settings not shown
})
First we set claims to place in the Server JWT and we tell the server to use non mTLS connection.
The permissions supported are, all default to false:
Permission | Description |
---|---|
submission |
Allow the Server to enable Message Submit |
streams |
Allow the Server to access Choria Streams for KV, Governors and more |
governor |
Allow the Server to use Governors - also require streams |
service_host |
Allow the Server to host Services such as Registry |
AAA Service
For the AAA Service the main change here is in the Authenticator. The Authenticator is optional and could be something user provided to integrate into the enterprise SSO.
You might configure your users like this:
[
{
"username": "puppetadmin",
"password": "$2y$05$c4b/0WZ5WJ3nhSZPN9m8keCUPlCYtNOTkqU4fDNEPCUy1C9Pfqn2e",
"acls": [
"puppet.*"
],
"broker_permissions": {
"events_viewer": true
}
}
]
Here we have a user that can manage Puppet related actions and he has the events_viewer
permission set, below a table of
all permissions. All default to false
.
Permission | Description |
---|---|
streams_admin |
Can perform CRUD operations on Streamd and Consumers |
streams_user |
Can use Streams, request their information, create Consumers but not create new Streams |
events_viewer |
Can use choria tool event to view fleet lifecycle events |
election_user |
Can access the standard Choria Leader Election feature |
governor |
Can use Governors |
org_admin |
Has access to all subjects in the organisation, full unlimited access on the broker |
service |
Is allowed to have a client JWT that’s valid for a long time, typical for long running services that use the Choria Client |
system_user |
Is allowed to access the Choria Broker system account for monitoring and management purposes (> 0.26.0) |
Server
During provisioning the server must have the setting plugin.security.server_anon_tls=1
, it will also create /etc/choria/server.seed
holding
the ED25519 private seed and /etc/choria/server.jwt
holding the signed JWT file that will be presented to the broker.
Client
The clent will not need TLS certificates, so it will set the file
security provider:
plugin.security.provider = file
It will log into an AAA Service Login URL when running choria login
:
plugin.choria.login.aasvc.login.url = https://aaa.example.net:4222/choria/v1/login
The choria login
application will store a ED25519 private seed, sign requests using the AAA Signing Service and not
use mTLS to connect:
plugin.choria.security.request_signer.token_file = ~/.choria/token
plugin.choria.security.request_signer.service = true
plugin.choria.secutiry.client_anon_tls = true