Skip to content

Security: bkeroackdsc/rqlite

Security

SECURITY.md

Securing rqlite

rqlite can be secured in various way, and at different levels of control.

File system security

You are responsible for securing access to the SQLite databases. There is no reason for any user to directly access the SQLite file, for rqlite to work correctly.

Network security

Each rqlite node listens on 2 TCP ports -- one for the HTTP API, and the other for intra-cluster communications. Only the API port need be reachable from outside the cluster.

So, if possible, configure the network such that the Raft port on each node is only accessible from other nodes in the cluster. There is no need for the Raft port to be accessible by rqlite clients.

If the IP addresses (or subnets) of rqlite clients is also known, it may also be possible to limit access to the HTTP API from those addresses only.

AWS EC2 Security Groups, for example, support all this functionality. So if running rqlite in the AWS EC2 cloud you can implement this level of security at the network level.

HTTPS API

rqlite supports HTTPS access, ensuring that all communication between clients and a cluster is encrypted.

Basic Auth

The HTTP API supports Basic Auth. Each rqlite node can be passed a JSON-formatted configuration file, which configures valid usernames and associated passwords for that node.

Since the configuration file only controls the node local to it, it's important to ensure the configuration is correct on each node.

User-level permissions

rqlite, via the configuration file, also supports user-level permissions. Each user can be granted one or more of the following permissions:

  • all: user can perform all operations on a node.
  • execute: user may access the execute endpoint.
  • query: user may access the query endpoint.
  • backup: user may perform backups.
  • status: user can retrieve status information from the node.
  • join: user can join a cluster. In practice only a node joins a cluster.

Example configuration file

An example configuration file is shown below.

[
  {
    "username": "bob",
    "password": "secret1",
    "perms": ["all"]
  },
  {
    "username": "mary",
    "password": "secret2",
    "perms": ["query"]
  }
]

This configuration file sets authentication for two usernames, bob and mary, and it sets a password for each. No other users will be able to access the cluster.

This configuration also sets permissions for both users. bob has permission to perform all operations, and mary can only query the cluster.

Secure cluster example

Starting a node with HTTPS enabled and with the above configuration file. It is assumed the X.509 certificate and key are at the paths server.crt and key.pem respectively.

rqlited -auth config.json -x509cert server.crt -x509key key.pem ~/node.1

Bringing up a second node, joining it to the first node.

rqlited -auth config.json -http localhost:4003 -x509cert server.crt \
-x509key key.pem -raft :4004 -join https://bob:secret1@localhost:4001 \
~/node.2

Querying the node, as user mary.

curl -G 'https://mary:secret2@localhost:4001/db/query?pretty&timings' \
--data-urlencode 'q=SELECT * FROM foo'

There aren’t any published security advisories