Issues Encountered in Security Audits of Accounts in TiDB Clusters

Translated
1

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: tidb集群中的账号在安全审计中遇到的问题

| username: ablewang_xiaobo

The security audit of the customer’s project today raised the following requirements regarding the TiDB cluster accounts. Please refer to them together:

  1. The purpose of the tidb-installer account, and whether it can be deleted.
  2. The permissions of the tidb and tidb-installer accounts in the /etc/sudoers file are required to be rectified as follows:
    tidb-installer ALL=(ALL) NOPASSWD: ALL
    Defaults: tidb-installer !requiretty
    tiup ALL=(ALL) NOPASSWD: ALL
    Defaults: tiup !requiretty
    tidb ALL=(ALL) NOPASSWD: ALL
  3. However, the deployment of TiDB uses the tidb account, and it is required to change the password regularly in the future. It is unclear what impact this will have.
2
| username: Billmay表妹 | Original post link

You can take a look at these two contents~

3
| username: h5n1 | Original post link
  1. Actually, using just one TiDB user is enough for deployment.
  2. We still don’t know how to set up passwordless sudo. On our machines, we temporarily grant this permission for a few days and then revoke it. When needed, we apply for it again. This permission is indeed quite significant.
  3. Changing the password doesn’t have much impact. Not everything relies on passwordless SSH. For some operations, like scaling up or down, you can manually enter the password once with -u tidb -p. The requirement is that the TiDB user password should be the same across all involved nodes.
4
| username: wuxiangdong | Original post link

Regularly changing passwords has no impact; previously, the Oracle account in Oracle RAC also required regular password changes.

5
| username: ablewang_xiaobo | Original post link

I was wondering if setting up passwordless access to specify which specific commands it can execute would be sufficient, or if further verification is needed.

6
| username: ablewang_xiaobo | Original post link

Okay, thank you.

7
| username: h5n1 | Original post link

The clusters I deployed have never been set up for passwordless access; they all use username + password.

8
| username: tidb狂热爱好者 | Original post link

This user can be deleted.

9
| username: Raymond | Original post link
  1. But is the tidb account used for deploying tidb, and will there be any impact if the password needs to be changed regularly? —> No impact. The tidb user of the OS is used for deployment, and changing the OS tidb user’s password has no impact. After establishing mutual trust, the tidb password can be changed regularly.
10
| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.