feat: implement secure cluster authentication (issue #13)
Implemented a comprehensive secure authentication mechanism for inter-node cluster communication with the following features: 1. Global Cluster Secret (GCS) - Auto-generated cryptographically secure random secret (256-bit) - Configurable via YAML config file - Shared across all cluster nodes for authentication 2. Cluster Authentication Middleware - Validates X-Cluster-Secret and X-Node-ID headers - Applied to all cluster endpoints (/members/*, /merkle_tree/*, /kv_range) - Comprehensive logging of authentication attempts 3. Authenticated HTTP Client - Custom HTTP client with cluster auth headers - TLS support with configurable certificate verification - Protocol-aware (http/https based on TLS settings) 4. Secure Bootstrap Endpoint - New /auth/cluster-bootstrap endpoint - Protected by JWT authentication with admin scope - Allows new nodes to securely obtain cluster secret 5. Updated Cluster Communication - All gossip protocol requests include auth headers - All Merkle tree sync requests include auth headers - All data replication requests include auth headers 6. Configuration - cluster_secret: Shared secret (auto-generated if not provided) - cluster_tls_enabled: Enable TLS for inter-node communication - cluster_tls_cert_file: Path to TLS certificate - cluster_tls_key_file: Path to TLS private key - cluster_tls_skip_verify: Skip TLS verification (testing only) This implementation addresses the security vulnerability of unprotected cluster endpoints and provides a flexible, secure approach to protecting internal cluster communication while allowing for automated node bootstrapping. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -15,7 +15,7 @@ func CheckPermission(permissions int, operation string, isOwner, isGroupMember b
|
||||
return (permissions & types.PermGroupCreate) != 0
|
||||
}
|
||||
return (permissions & types.PermOthersCreate) != 0
|
||||
|
||||
|
||||
case "delete":
|
||||
if isOwner {
|
||||
return (permissions & types.PermOwnerDelete) != 0
|
||||
@@ -24,7 +24,7 @@ func CheckPermission(permissions int, operation string, isOwner, isGroupMember b
|
||||
return (permissions & types.PermGroupDelete) != 0
|
||||
}
|
||||
return (permissions & types.PermOthersDelete) != 0
|
||||
|
||||
|
||||
case "write":
|
||||
if isOwner {
|
||||
return (permissions & types.PermOwnerWrite) != 0
|
||||
@@ -33,7 +33,7 @@ func CheckPermission(permissions int, operation string, isOwner, isGroupMember b
|
||||
return (permissions & types.PermGroupWrite) != 0
|
||||
}
|
||||
return (permissions & types.PermOthersWrite) != 0
|
||||
|
||||
|
||||
case "read":
|
||||
if isOwner {
|
||||
return (permissions & types.PermOwnerRead) != 0
|
||||
@@ -42,7 +42,7 @@ func CheckPermission(permissions int, operation string, isOwner, isGroupMember b
|
||||
return (permissions & types.PermGroupRead) != 0
|
||||
}
|
||||
return (permissions & types.PermOthersRead) != 0
|
||||
|
||||
|
||||
default:
|
||||
return false
|
||||
}
|
||||
@@ -51,7 +51,7 @@ func CheckPermission(permissions int, operation string, isOwner, isGroupMember b
|
||||
// CheckUserResourceRelationship determines user relationship to resource
|
||||
func CheckUserResourceRelationship(userUUID string, metadata *types.ResourceMetadata, userGroups []string) (isOwner, isGroupMember bool) {
|
||||
isOwner = (userUUID == metadata.OwnerUUID)
|
||||
|
||||
|
||||
if metadata.GroupUUID != "" {
|
||||
for _, groupUUID := range userGroups {
|
||||
if groupUUID == metadata.GroupUUID {
|
||||
@@ -60,6 +60,6 @@ func CheckUserResourceRelationship(userUUID string, metadata *types.ResourceMeta
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return isOwner, isGroupMember
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user