Security concern regarding CRDB


I’ve been experimenting with CRDB lately and a security related question came to my mind: if someone knows the ip of one of my nodes, does it mean they can add a node controlled by them to my cluster? That way, they would have access to my entire database through their node.


(Marc) #2

When running insecure mode then yes. But insecure should be a good hint that it’s not to be used or anything other than testing and development.

When running secure mode, all trust is based on the CA used to sign server and client certificates. When a new node attempts to join a cluster, the existing nodes receiving the request will verify that the presented certificate is signed by the known CA, and is for user node.

This does imply that the CA (either self-signed root, or intermediate) should only be used for a single cluster (to prevent a node from joining the wrong cluster, and to prevent a client certificate meant for one cluster from being used on another). The CA key should be safely stored to prevent unauthorised signing of server or client certificates.