Skip to content

Instantly share code, notes, and snippets.

@adamgoucher

adamgoucher/SecureNodeRegistration.md

Created December 8, 2019 19:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adamgoucher/5919cd54f751c5cbf28ab1bc9473513e to your computer and use it in GitHub Desktop.
Save adamgoucher/5919cd54f751c5cbf28ab1bc9473513e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SecureNodeRegistration.md

Secure Node Registration

Description

Right now, anyone who knows a Selenium Grid Hub node can register as a Node on it. This is is convenient, but also means a bad actor could register on your Hub and intercept your scripts. In order to counter this the Grid 4.x needs to be able to restrict node registration.

Possible Impementations

Puppet-esque

Puppet includes a Certificate Authority in the Server. When new nodes are brought online they contact the server with a new Certificate Signing Request. The administrator then needs to sign the request before communication can begin. And when the node is no longer under management, the certificate is removed from the server.

This approach is secure, but also likely more complicated than what Selenium needs. Especially since the Grid will often be scaled up and down causing certificates to be created and removed often. And only with involvement from a human. (Auto signing negates the benefit of this approach but addresses the elasticity problem.)

More information at https://puppet.com/docs/pe/2019.2/adding_and_removing_nodes.html

Filebeat-esque

Filebeat talks to Logstash using certificates, but the CA is managed outside of the server. Both sides of the connection have a private key and certificate as well as a certificate authority bundle. When certificate validation is enabled, connections are only made when all parts are signed by the CA.

This approach is the next step the recently merged HTTPS support, but does require a CA and makes it really hard to do Secure Node Registration on an HTTP Hub.

More information at https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html

Shared Secret

A more low-key approach is to configure a shared secret on both the Hub and the Node(s) and only allow registration if the secrets match.

Recommendation

  • Secure Node Registration for 4.x should take the Shared Secret approach due to its ability to operate over both HTTP and HTTPS
  • Secure Node Registration should be optional in the 4.x series, and mandatory for 5.x and beyond
  • The Filebeat-esque approach should be re-evaluated should HTTP no longer be an option as it uses a lot of the same user-space scaffolding
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment