Will Droste11/13/2022, 4:15 PM
wey11/14/2022, 3:55 AM
from <http://nebula3.gclient.net|nebula3.gclient.net> import ConnectionPool from nebula3.Config import Config config = Config() config.max_connection_pool_size = 10 connection_pool = ConnectionPool() # client connecting to graphd connection_pool.init([('127.0.0.1', 9669)], config) from nebula3.gclient.net.AuthResult import AuthResult from nebula3.gclient.net.Session import Session session = connection_pool.get_session('root', 'nebula') session_id = session._session_id # simulate another client connecting to graphd2 connection_pool2 = ConnectionPool() connection_pool2.init([('127.0.0.1', 49433)], config) connection = connection_pool2.get_connection() auth_result = AuthResult(session_id, 0, b'UTC') session_from_evil = Session(connection, auth_result, connection_pool, True) session_from_evil.execute("SHOW HOSTS") # it worked!!! # Out: ResultSet(keys: ['Host', 'Port', 'HTTP port', 'Status', 'Leader count', 'Leader distribution', 'Partition distribution', 'Version'], values: ["storaged0", 9779, 19779, "ONLINE", 9, "basketballplayer:3, moviegraph:3, test:3", "basketballplayer:3, moviegraph:3, test:3", "3.3.0"],["storaged1", 9779, 19779, "ONLINE", 9, "basketballplayer:3, moviegraph:3, test:3", "basketballplayer:3, moviegraph:3, test:3", "3.3.0"],["storaged2", 9779, 19779, "ONLINE", 12, "basketballplayer:4, moviegraph:4, test:4", "basketballplayer:4, moviegraph:4, test:4", "3.3.0"]) # In : session._session_id == session_from_evil._session_id # Out: True # In : session._connection == session_from_evil._connection # Out: False
So can you just pass in theThe interface seems not yet allow passing(at least from python client) sessionID, but it’s actually totally doable as my test.in to any connection?
Is the session ID unique enough not be a security concern. For instance if you make a connection to Nebula can somebody guess aYes, unfortunately, this is doable, I don’t have security background, this looks very bad or, do you have any suggestions/expected behaviors in such scenario?just be doing
Also though from a resource perspective it seems then I can re-connect and just keep using the same session ID, which is good considering that the default expiration for a session is 8hrs. From a security perspective though if I can reuse the session ID and not have to auth then there should be additional protections in place like this session came from this IP addresss. (edited)Yes, the session to be persistent in metaD came with the intuition to enable cross-client/cross GraphD reuse auth context, but as you mentioned, maybe we should enable strict mode to optionally add verification of source_IP etc on this?
Will Droste11/14/2022, 2:50 PM
on the server side. If there is an anomaly or too many sessions are created it would be good to have a command to expire particular ones as well as all of them
interface the sessionId is passed here
final var resp = client.executeWithParameter(sessionId, stmt.getBytes(UTF_8), parameterMap);
that would be my first approach to this, that a client must send the same session ID from the same IP. In my mind it would be easy to add to the GraphService.
optionally add verification of source_IP etc on this?