Will Droste
11/13/2022, 4:15 PMwey
11/14/2022, 3:55 AMfrom <http://nebula3.gclient.net|nebula3.gclient.net> import ConnectionPool
from nebula3.Config import Config
config = Config()
config.max_connection_pool_size = 10
connection_pool = ConnectionPool()
# client connecting to graphd
connection_pool.init([('127.0.0.1', 9669)], config)
from nebula3.gclient.net.AuthResult import AuthResult
from nebula3.gclient.net.Session import Session
session = connection_pool.get_session('root', 'nebula')
session_id = session._session_id
# simulate another client connecting to graphd2
connection_pool2 = ConnectionPool()
connection_pool2.init([('127.0.0.1', 49433)], config)
connection = connection_pool2.get_connection()
auth_result = AuthResult(session_id, 0, b'UTC')
session_from_evil = Session(connection, auth_result, connection_pool, True)
session_from_evil.execute("SHOW HOSTS")
# it worked!!!
# Out[28]: ResultSet(keys: ['Host', 'Port', 'HTTP port', 'Status', 'Leader count', 'Leader distribution', 'Partition distribution', 'Version'], values: ["storaged0", 9779, 19779, "ONLINE", 9, "basketballplayer:3, moviegraph:3, test:3", "basketballplayer:3, moviegraph:3, test:3", "3.3.0"],["storaged1", 9779, 19779, "ONLINE", 9, "basketballplayer:3, moviegraph:3, test:3", "basketballplayer:3, moviegraph:3, test:3", "3.3.0"],["storaged2", 9779, 19779, "ONLINE", 12, "basketballplayer:4, moviegraph:4, test:4", "basketballplayer:4, moviegraph:4, test:4", "3.3.0"])
# In [31]: session._session_id == session_from_evil._session_id
# Out[31]: True
# In [32]: session._connection == session_from_evil._connection
# Out[32]: False
So can you just pass in theThe interface seems not yet allow passing(at least from python client) sessionID, but it’s actually totally doable as my test.in to any connection?sessoinId
Is the session ID unique enough not be a security concern. For instance if you make a connection to Nebula can somebody guess aYes, unfortunately, this is doable, I don’t have security background, this looks very bad or, do you have any suggestions/expected behaviors in such scenario?just be doingsessionId
statements?YIELD 1
Also though from a resource perspective it seems then I can re-connect and just keep using the same session ID, which is good considering that the default expiration for a session is 8hrs. From a security perspective though if I can reuse the session ID and not have to auth then there should be additional protections in place like this session came from this IP addresss. (edited)Yes, the session to be persistent in metaD came with the intuition to enable cross-client/cross GraphD reuse auth context, but as you mentioned, maybe we should enable strict mode to optionally add verification of source_IP etc on this?
Will Droste
11/14/2022, 2:50 PMsession
on the server side. If there is an anomaly or too many sessions are created it would be good to have a command to expire particular ones as well as all of themthrift
interface the sessionId is passed herefinal var resp = client.executeWithParameter(sessionId, stmt.getBytes(UTF_8), parameterMap);
optionally add verification of source_IP etc on this?
that would be my first approach to this, that a client must send the same session ID from the same IP. In my mind it would be easy to add to the GraphService.wey
11/15/2022, 7:24 AM