From d315e63fbdbf26106b383b86c31bf23eebc191c8 Mon Sep 17 00:00:00 2001 From: lhy1024 Date: Fri, 11 Oct 2024 18:48:31 +0800 Subject: [PATCH 1/5] pd: support multi cn after 8.4 Signed-off-by: lhy1024 --- enable-tls-between-components.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 69ee896f25d5b..fa62aab152da3 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -156,11 +156,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. -To verify component caller's identity, you need to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee. +To verify component caller's identity, you need to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `cluster-verify-cn` (for the TiDB component) or `cert-allowed-cn` (for other components) for the callee. > **Note:** > -> Currently the `cert-allowed-cn` configuration item of the PD can only be set to one value. Therefore, the `commonName` of all authentication objects must be set to the same value. +> After version 8.4, PD supports multiple `Common Name`. You can configure them in the cert-allowed-cn setting for each component as needed. It’s important to note that TiUP uses a distinct identifier when querying component statuses. For example, if the cluster name is `test`, it will use `test-client` as the Common Name. +> For versions 8.3 and earlier, the `cert-allowed-cn` configuration item of the PD can only be set to one value. Therefore, the `Common Name` of all authentication objects must be set to the same value. Please refer to the v8.3.0 documentation. - TiDB @@ -168,7 +169,7 @@ To verify component caller's identity, you need to mark the certificate user ide ```toml [security] - cluster-verify-cn = ["TiDB"] + cluster-verify-cn = ["tidb", "test-client", "prometheus"] ``` - TiKV @@ -177,7 +178,7 @@ To verify component caller's identity, you need to mark the certificate user ide ```toml [security] - cert-allowed-cn = ["TiDB"] + cert-allowed-cn = ["tidb", "pd", "tikv", "tiflash", "prometheus"] ``` - PD @@ -186,7 +187,7 @@ To verify component caller's identity, you need to mark the certificate user ide ```toml [security] - cert-allowed-cn = ["TiDB"] + cert-allowed-cn = ["tidb", "pd", "tikv", "tiflash", "test-client", "prometheus"] ``` - TiFlash (New in v4.0.5) @@ -195,14 +196,14 @@ To verify component caller's identity, you need to mark the certificate user ide ```toml [security] - cert_allowed_cn = ["TiDB"] + cert_allowed_cn = ["tidb", "tikv", "prometheus"] ``` Configure in the `tiflash-learner.toml` file: ```toml [security] - cert-allowed-cn = ["TiDB"] + cert-allowed-cn = ["tidb", "tikv", "tiflash", "prometheus"] ``` ## Reload certificates From a0c53a0db099ccd7c5564212abf2676e40f60e5f Mon Sep 17 00:00:00 2001 From: lhy1024 Date: Mon, 14 Oct 2024 14:02:46 +0800 Subject: [PATCH 2/5] Update enable-tls-between-components.md Co-authored-by: Grace Cai --- enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index fa62aab152da3..9d5d78495f98f 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -154,7 +154,7 @@ Currently, it is not supported to only enable encrypted transmission of some spe ### Verify component caller's identity -The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. +In general, the callee needs to verify the caller's identity using `Common Name`, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. To verify component caller's identity, you need to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `cluster-verify-cn` (for the TiDB component) or `cert-allowed-cn` (for other components) for the callee. From cfe5026eb0655fee698903c664b992e73d96875d Mon Sep 17 00:00:00 2001 From: lhy1024 Date: Mon, 14 Oct 2024 14:03:14 +0800 Subject: [PATCH 3/5] Update enable-tls-between-components.md Co-authored-by: Grace Cai --- enable-tls-between-components.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 9d5d78495f98f..739db880a237e 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -160,8 +160,8 @@ To verify component caller's identity, you need to mark the certificate user ide > **Note:** > -> After version 8.4, PD supports multiple `Common Name`. You can configure them in the cert-allowed-cn setting for each component as needed. It’s important to note that TiUP uses a distinct identifier when querying component statuses. For example, if the cluster name is `test`, it will use `test-client` as the Common Name. -> For versions 8.3 and earlier, the `cert-allowed-cn` configuration item of the PD can only be set to one value. Therefore, the `Common Name` of all authentication objects must be set to the same value. Please refer to the v8.3.0 documentation. +> - Starting from v8.4.0, the PD configuration item `cert-allowed-cn` supports multiple values. You can configure multiple `Common Name` in the `cluster-verify-cn` configuration item for TiDB and in the `cert-allowed-cn` configuration item for other components as needed. Note that TiUP uses a separate identifier when querying component status. For example, if the cluster name is `test`, TiUP uses `test-client` as the `Common Name`. +> - For v8.3.0 and earlier versions, the PD configuration item `cert-allowed-cn` can only be set to a single value. Therefore, the `Common Name` of all authentication objects must be set to the same value. For related configuration examples, see [v8.3.0 documentation](https://docs.pingcap.com/tidb/v8.3/enable-tls-between-components). - TiDB From 849c5ec7bb17baa178771b5b75bda8b03590c2c9 Mon Sep 17 00:00:00 2001 From: lhy1024 Date: Mon, 14 Oct 2024 14:03:27 +0800 Subject: [PATCH 4/5] Update enable-tls-between-components.md Co-authored-by: Grace Cai --- enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 739db880a237e..945c6baa50b31 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -156,7 +156,7 @@ Currently, it is not supported to only enable encrypted transmission of some spe In general, the callee needs to verify the caller's identity using `Common Name`, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. -To verify component caller's identity, you need to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `cluster-verify-cn` (for the TiDB component) or `cert-allowed-cn` (for other components) for the callee. +To verify the caller's identity for a component, you need to mark the certificate user identity using `Common Name` when generating the certificate, and check the caller's identity by configuring `cluster-verify-cn` (in TiDB) or `cert-allowed-cn` (in other components) for the callee. > **Note:** > From 4b5672e9909428b84dae79d72036b385d0fea757 Mon Sep 17 00:00:00 2001 From: Grace Cai Date: Thu, 17 Oct 2024 11:57:27 +0800 Subject: [PATCH 5/5] Update enable-tls-between-components.md Co-authored-by: Aolin --- enable-tls-between-components.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index 945c6baa50b31..75341455711b8 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -160,7 +160,7 @@ To verify the caller's identity for a component, you need to mark the certificat > **Note:** > -> - Starting from v8.4.0, the PD configuration item `cert-allowed-cn` supports multiple values. You can configure multiple `Common Name` in the `cluster-verify-cn` configuration item for TiDB and in the `cert-allowed-cn` configuration item for other components as needed. Note that TiUP uses a separate identifier when querying component status. For example, if the cluster name is `test`, TiUP uses `test-client` as the `Common Name`. +> - Starting from v8.4.0, the PD configuration item `cert-allowed-cn` supports multiple values. You can configure multiple `Common Name` in the `cluster-verify-cn` configuration item for TiDB and in the `cert-allowed-cn` configuration item for other components as needed. Note that TiUP uses a separate identifier when querying component status. For example, if the cluster name is `test`, TiUP uses `test-client` as the `Common Name`. > - For v8.3.0 and earlier versions, the PD configuration item `cert-allowed-cn` can only be set to a single value. Therefore, the `Common Name` of all authentication objects must be set to the same value. For related configuration examples, see [v8.3.0 documentation](https://docs.pingcap.com/tidb/v8.3/enable-tls-between-components). - TiDB