Patroni
Security Considerations
A Patroni cluster has two interfaces to be protected from unauthorized access: the distributed configuration storage (DCS) and the Patroni REST API.
Protecting DCS
Patroni and patronictl both store and retrieve data to/from the DCS.
Despite DCS doesn’t contain any sensitive information, it allows changing some of Patroni/Postgres configuration. Therefore the very first thing that should be protected is DCS itself.
The details of protection depend on the type of DCS used. The authentication and encryption parameters (tokens/basic-auth/client certificates) for the supported types of DCS are covered in settings.
The general recommendation is to enable TLS for all DCS communication.
Protecting the REST API
Protecting the REST API is a more complicated task.
The Patroni REST API is used by Patroni itself during the leader race, by the patronictl tool in order to perform failovers/switchovers/reinitialize/restarts/reloads, by HAProxy or any other kind of load balancer to perform HTTP health checks, and of course could also be used for monitoring.
From the point of view of security, REST API contains safe (GET
requests, only retrieve information) and unsafe (PUT
, POST
, PATCH
and DELETE
requests, change the state of nodes) endpoints.
The unsafe endpoints can be protected with HTTP basic-auth by setting the restapi.authentication.username
and restapi.authentication.password
parameters. There is no way to protect the safe endpoints without enabling TLS.
When TLS for the REST API is enabled and a PKI is established, mutual authentication of the API server and API client is possible for all endpoints.
The restapi
section parameters enable TLS client authentication to the server. Depending on the value of the verify_client
parameter, the API server requires a successful client certificate verification for both safe and unsafe API calls (verify_client:
), or for no API calls (+ ``+required
), or only for unsafe API calls (verify_client:
+ ``+optionalverify_client:`
+ ``+none`).
The ctl
section parameters enable TLS server authentication to the client (the patronictl tool which uses the same config as patroni). Set insecure:`
+ ``+true` to disable the server certificate verification by the client. See settings for a detailed description of the TLS client parameters.
Protecting the PostgreSQL database proper from unauthorized access is beyond the scope of this document and is covered in https://www.postgresql.org/docs/current/client-authentication.html
© Copyright 2015 Compose, Zalando SE. Revision 3d527f57
.
Built with Sphinx using a theme provided by Read the Docs.
Read the Docs v: master