Connection settings

doc/book/admin/access_control.rst

@@ -90,7 +90,7 @@ There are two functions for managing passwords in Tarantool:
 
 *   :doc:`/reference/reference_lua/box_schema/user_password` returns a hash of a user's password.
 
-Tarantool Enterprise Edition also allows you to improve database security by enforcing the use of strong passwords, setting up a maximum password age, and so on. Learn more from the :ref:`Access control <enterprise-access-control>` section.
+Tarantool Enterprise Edition also allows you to improve database security by enforcing the use of strong passwords, setting up a maximum password age, and so on. Learn more from the :ref:`configuration_authentication` topic.
 
 
 

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_address/config.yaml

@@ -0,0 +1,15 @@
+credentials:
+  users:
+    admin:
+      password: 'topsecret'
+      roles: [ super ]
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_address/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_addresses/config.yaml

@@ -0,0 +1,16 @@
+credentials:
+  users:
+    admin:
+      password: 'topsecret'
+      roles: [ super ]
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'
+              - uri: '127.0.0.1:3302'

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_addresses/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_port/config.yaml

@@ -0,0 +1,15 @@
+credentials:
+  users:
+    admin:
+      password: 'topsecret'
+      roles: [ super ]
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '3301'

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_port/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_socket/config.yaml

@@ -0,0 +1,15 @@
+credentials:
+  users:
+    admin:
+      password: 'topsecret'
+      roles: [ super ]
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: 'unix/:./var/run/{{ instance_name }}/tarantool.iproto'

doc/code_snippets/snippets/config/instances.enabled/iproto_listen_socket/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/security_auth_protocol/certs/generate.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -xeuo pipefail
+
+# 1. Generate an unencrypted server key.
+openssl genrsa -out server.key 2048
+
+# 2. Create a certificate signing request based on the server key.
+openssl req -new -key server.key -subj "/C=US/ST=State/L=City/O=Example-Certificates/CN=server/" -out server.csr
+
+# 3. Generate a server certificate.
+openssl x509 -req -in server.csr -signkey server.key -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -days 365 -out server.crt

doc/code_snippets/snippets/config/instances.enabled/security_auth_protocol/certs/server.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIUM0cXJSowqJRoJlpwxgJBpS1V7KkwDQYJKoZIhvcNAQEL
+BQAwXDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MR0wGwYDVQQKDBRFeGFtcGxlLUNlcnRpZmljYXRlczEPMA0GA1UEAwwGc2VydmVy
+MCAXDTI0MDExMjE0MTc1NFoYDzIxMDAwMTAxMTQxNzU0WjBcMQswCQYDVQQGEwJV
+UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxHTAbBgNVBAoMFEV4YW1w
+bGUtQ2VydGlmaWNhdGVzMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCekLkd2cXQfgRDBJK0LIEfzeH0C/AqQPr58qc3+A9i
+MxbPquzq/272QqAzT1YXYVHNjL0QzzE/1bt6cLcFPObd0XkDUbXQW1i2/BWI6ai3
+7FLs6qfo7MA+UQTA5a0jNrKGV1TctJae4dxxEQqnr+K2+EhbqWfS88Gf5+1kWvJq
+AyUN80Nzut7MgfAKPLEnQei7mGBk+UTo3SBNqq9RQL+AcIdl5UFSApmnzOFDCdiK
+qnw9ntIoJUIh+kAUPyNZ32aow9BBRC/9ibIBbvdsvGD7ONqewqdGC0xSa4Xx+XJn
+8lBTTFryc6D6C9KrRAV/Y7choK4Rsn2GLcnuRQ8FQifxAgMBAAGjPTA7MBoGA1Ud
+EQQTMBGCCWxvY2FsaG9zdIcEfwAAATAdBgNVHQ4EFgQU6oCAZ+kJ88rox7OFt/tr
+GIYQVFYwDQYJKoZIhvcNAQELBQADggEBABvev81NhG1DR5mS4UbpEvl6NGtcDE4H
+yVKPpI3gfdJ3etZhV2FQ7nZZzQcTaqsm2IMr336s+nb4wrqDkZJ+OhYsU1OgFF3b
+DM0BJ91YUeZz/redx7naxhawHn1BKXDvseNrH9C+XKa+1maK7bCYLkZZEtiOYZku
+yD4pfBx+A+zipas3iQdLiXDkg+qoY2OmO+9bo+tvV8zzVx7V0+8L/NU8bU2d/Dgb
+IuEPKc98hVx1W1v4RndrUmcneovbBEv82Y17RUqTi42TumsYjOjx/LvdD7RKBDZw
+XVtjKL+zwuge9rQU4sZMAwN/tHanOXAfWG6/LU5RNW87b8+YcwOxMVc=
+-----END CERTIFICATE-----

doc/code_snippets/snippets/config/instances.enabled/security_auth_protocol/certs/server.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICoTCCAYkCAQAwXDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYD
+VQQHDARDaXR5MR0wGwYDVQQKDBRFeGFtcGxlLUNlcnRpZmljYXRlczEPMA0GA1UE
+AwwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnpC5HdnF
+0H4EQwSStCyBH83h9AvwKkD6+fKnN/gPYjMWz6rs6v9u9kKgM09WF2FRzYy9EM8x
+P9W7enC3BTzm3dF5A1G10FtYtvwViOmot+xS7Oqn6OzAPlEEwOWtIzayhldU3LSW
+nuHccREKp6/itvhIW6ln0vPBn+ftZFryagMlDfNDc7rezIHwCjyxJ0Hou5hgZPlE
+6N0gTaqvUUC/gHCHZeVBUgKZp8zhQwnYiqp8PZ7SKCVCIfpAFD8jWd9mqMPQQUQv
+/YmyAW73bLxg+zjansKnRgtMUmuF8flyZ/JQU0xa8nOg+gvSq0QFf2O3IaCuEbJ9
+hi3J7kUPBUIn8QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAF2jrSsrQyfET0Ux
+SEeuyJemaLp8CYGbaICDIpM5jvq43ZGDKzQWqZGgOe2QmKR4mOqe2ixr3duwjpaK
+Yd3eqQCMYkW9s5QdIs4AasQVMJXZ8uL5gIuFPtAT5BNa8GAhmpfUvHlLQeobZX4N
+NpYaZZTLvQkjqnxOU9OQfnQ/89sa5zi8+G9xgWPnu3BOBznZvWsqcIVPZAekafvd
+iP78wBWn9aF9CYrUvCmMmLgmwUe4BC3Lo4MvkosMFFH96oqrOPBztMv8swYGJBY8
+WFv1aJ8AtxpF9IGIDaP58TT0eEg/pDLGtPdaH4Q4TP9WkAs8Ybgn331xSmDDidLl
+WQFHHXY=
+-----END CERTIFICATE REQUEST-----

doc/code_snippets/snippets/config/instances.enabled/security_auth_protocol/certs/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCekLkd2cXQfgRD
+BJK0LIEfzeH0C/AqQPr58qc3+A9iMxbPquzq/272QqAzT1YXYVHNjL0QzzE/1bt6
+cLcFPObd0XkDUbXQW1i2/BWI6ai37FLs6qfo7MA+UQTA5a0jNrKGV1TctJae4dxx
+EQqnr+K2+EhbqWfS88Gf5+1kWvJqAyUN80Nzut7MgfAKPLEnQei7mGBk+UTo3SBN
+qq9RQL+AcIdl5UFSApmnzOFDCdiKqnw9ntIoJUIh+kAUPyNZ32aow9BBRC/9ibIB
+bvdsvGD7ONqewqdGC0xSa4Xx+XJn8lBTTFryc6D6C9KrRAV/Y7choK4Rsn2GLcnu
+RQ8FQifxAgMBAAECggEAM20OjK7faCImsbGe/s5cRntYZ/UjPCD9BOl88DsEij21
+jT6LPh//1eB/4oQ9kLGgfUDC5Nu9xk1EU46Q3SMGYTSZwcjTZbLqj9YsCc52SMhd
+kLb+JB38r3lJSGJ1B7GqrsVOIZJ0My1feFAlm4MAzYSyuv+zS4iA6KKorF6OtnCx
+RIvWTWrQM0yIxm8HBpNu1hFLqr7QV57u18pz6zSnBTd5VTYivQQkv7JWR5ci2Hry
+4yjVfwwh8Xcm8i8S+BZZ1hsVrVsoKmjMyqbj/Lrnx4/MsfCG3WQOL/ZP38w+z+Ds
+XptopV3/ZKC8Dnyf3x7HyJ0uDGD0fAzxtdCslk3TrQKBgQC1nzyDX2i/uZlhK+3T
+Nkj1LFakANY8yIY3AfPVJROuA+KERAkuTJfRfSxDUkE9QJyxy0S2DUSq2pOov33Q
+6NH0wNEjCFRoXGqCgkNPbwECwJtKQWwsrHHpZZCINH7TyWCUi9p4tcAzww7UyUDT
+JiJP7iOvxMCB8ebNca6rQ0xI+wKBgQDfgEj+PI8kXCP4qk2xcVJ+yOkwoSWoBS0s
+KBV5pGgbO12NPDHal5ZWLpCZMi3Cw0gObEj5mYbcj+fkmk9xKhuxtfo4DQaAP5y4
+VnoXsaAwryLqG/iby3zAFkspN+5hoD8hmDXHrqrqC7AOmPrrAHIQHdt11TCBheEY
+UuK+xrBXAwKBgE/+R4fRQPCYzW5YC9KoKTAbDDoFyFZTN5IIwR1SzD0rptv8n1KO
+F5wEFre8BdH1oE5KqgPJCkJ6LOj5FnAp6zdyqWpVo9+nPJ4ow3679GUC8iKdeAih
+FzbmLedfv7CGFIy4oEvkOThTJDgiP/P/6sLrrzoeXW+eXLqF5Jm39WR7AoGAYqSf
+Er6turGEGtMneUJ304dfDFyDXzXxqwSB/e8nF6XK83P22PCApMbmgQbZlZVU7zCx
+wKAXGq/U/Fty5pJcKMIVjrmI/f+VbvKT7nMyLWqO8V6pCjH0fF8aizWpW6M7Wdtx
+GRGpU6UW7kpsrF3E+gIDg201fGUXZQHoG6Vb3PsCgYBRgDDKXXD0dKqU9GzO/og7
+WpJOZqI+OZoG778aP2HqQ8z9m93nQ0NTzXK8rRNDSEbd+QFFf9s5Y5gjjK5bsNUJ
+mDziJ7B8tP2ecLcuO5DF2ro9nCPPYNixViKqZ1oJAFEIFetZzp7ZB6PFf7tcnXJ3
+aqTpCZBW2gL5iktwXYz+DA==
+-----END PRIVATE KEY-----

doc/code_snippets/snippets/config/instances.enabled/security_auth_protocol/config.yaml

@@ -0,0 +1,25 @@
+credentials:
+  users:
+    admin:
+      password: 'topsecret'
+      roles: [ super ]
+
+security:
+  auth_type: 'pap-sha256'
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'
+                params:
+                  transport: 'ssl'
+                  ssl_cert_file: 'certs/server.crt'
+                  ssl_key_file: 'certs/server.key'
+
+app:
+  file: 'myapp.lua'

doc/code_snippets/snippets/config/instances.enabled/security_auth_protocol/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/security_auth_protocol/myapp.lua

@@ -0,0 +1,10 @@
+function connect()
+    local connection = require('net.box').connect({
+        uri = 'admin:[email protected]:3301',
+        params = { auth_type = 'pap-sha256',
+                   transport = 'ssl',
+                   ssl_cert_file = 'certs/server.crt',
+                   ssl_key_file = 'certs/server.key' }
+    })
+    return connection
+end

doc/code_snippets/snippets/config/instances.enabled/security_auth_restrictions/config.yaml

@@ -0,0 +1,20 @@
+credentials:
+  users:
+    admin:
+      password: 'topsecret'
+      roles: [ super ]
+
+security:
+  auth_delay: 10
+  auth_retries: 2
+  disable_guest: true
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'

doc/code_snippets/snippets/config/instances.enabled/security_auth_restrictions/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/config/instances.enabled/security_password_policy/config.yaml

@@ -0,0 +1,24 @@
+credentials:
+  users:
+    admin:
+      password: 'T0p_Secret_P@$$w0rd'
+      roles: [ super ]
+
+security:
+  password_min_length: 16
+  password_enforce_lowercase: true
+  password_enforce_uppercase: true
+  password_enforce_digits: true
+  password_enforce_specialchars: true
+  password_lifetime_days: 365
+  password_history_length: 3
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'

doc/code_snippets/snippets/config/instances.enabled/security_password_policy/instances.yml

@@ -0,0 +1 @@
+instance001:

doc/code_snippets/snippets/replication/instances.enabled/advertise_peer/config.yaml

@@ -0,0 +1,44 @@
+credentials:
+  users:
+    replicator:
+      password: 'topsecret'
+      roles: [replication]
+
+iproto:
+  advertise:
+    peer:
+      login: replicator
+
+replication:
+  failover: manual
+
+groups:
+  group001:
+    replicasets:
+      replicaset001:
+        leader: instance001
+        instances:
+          instance001:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3301'
+              - uri: '127.0.0.1:4401'
+              advertise:
+                peer:
+                  uri: '127.0.0.1:4401'
+          instance002:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3302'
+              - uri: '127.0.0.1:4402'
+              advertise:
+                peer:
+                  uri: '127.0.0.1:4402'
+          instance003:
+            iproto:
+              listen:
+              - uri: '127.0.0.1:3303'
+              - uri: '127.0.0.1:4403'
+              advertise:
+                peer:
+                  uri: '127.0.0.1:4403'

doc/code_snippets/snippets/replication/instances.enabled/advertise_peer/instances.yml

@@ -0,0 +1,3 @@
+instance001:
+instance002:
+instance003:

doc/code_snippets/snippets/replication/instances.enabled/ssl/README.md → doc/code_snippets/snippets/replication/instances.enabled/ssl_with_ca/README.md

@@ -1,4 +1,4 @@
-# TLS traffic encryption
+# SSL (with CA)
 
 A sample application demonstrating how to enable TLS traffic encryption for connections between replica set peers.
 
@@ -7,5 +7,5 @@ A sample application demonstrating how to enable TLS traffic encryption for conn
 To start all instances, execute the following command in the [replication](../../../replication) directory:
 
 ```console
-$ tt start ssl
+$ tt start ssl_with_ca
 ```

doc/code_snippets/snippets/replication/instances.enabled/ssl/certs/generate.sh → doc/code_snippets/snippets/replication/instances.enabled/ssl_with_ca/certs/generate.sh

@@ -26,4 +26,4 @@ cp server001.crt server001.key instance001
 cp server002.crt server002.key instance002
 cp server003.crt server003.key instance003
 
-rm -rf root_ca.key server*
+rm -rf server*

doc/code_snippets/snippets/replication/instances.enabled/ssl/config.yaml → doc/code_snippets/snippets/replication/instances.enabled/ssl_with_ca/config.yaml

@@ -7,19 +7,17 @@ credentials:
       password: 'topsecret'
       roles: [replication]
 
-iproto:
-  advertise:
-    peer:
-      login: replicator
-
-replication:
-  failover: manual
-
 groups:
   group001:
     replicasets:
       replicaset001:
+        replication:
+          failover: manual
         leader: instance001
+        iproto:
+          advertise:
+            peer:
+              login: replicator
         instances:
           instance001:
             iproto:

doc/code_snippets/snippets/replication/instances.enabled/ssl_without_ca/README.md

@@ -0,0 +1,11 @@
+# SSL (without CA)
+
+A sample application demonstrating how to enable TLS traffic encryption for connections between replica set peers.
+
+## Running
+
+To start all instances, execute the following command in the [replication](../../../replication) directory:
+
+```console
+$ tt start ssl_without_ca
+```

doc/code_snippets/snippets/replication/instances.enabled/ssl_without_ca/certs/generate.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -xeuo pipefail
+
+# 1. Generate an unencrypted server key.
+openssl genrsa -out server.key 2048
+
+# 2. Create a certificate signing request based on the server key.
+openssl req -new -key server.key -subj "/C=US/ST=State/L=City/O=Example-Certificates/CN=server/" -out server.csr
+
+# 3. Generate a server certificate.
+openssl x509 -req -in server.csr -signkey server.key -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -days 365 -out server.crt

doc/code_snippets/snippets/replication/instances.enabled/ssl_without_ca/certs/server.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIUM0cXJSowqJRoJlpwxgJBpS1V7KkwDQYJKoZIhvcNAQEL
+BQAwXDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
+MR0wGwYDVQQKDBRFeGFtcGxlLUNlcnRpZmljYXRlczEPMA0GA1UEAwwGc2VydmVy
+MCAXDTI0MDExMjE0MTc1NFoYDzIxMDAwMTAxMTQxNzU0WjBcMQswCQYDVQQGEwJV
+UzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxHTAbBgNVBAoMFEV4YW1w
+bGUtQ2VydGlmaWNhdGVzMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCekLkd2cXQfgRDBJK0LIEfzeH0C/AqQPr58qc3+A9i
+MxbPquzq/272QqAzT1YXYVHNjL0QzzE/1bt6cLcFPObd0XkDUbXQW1i2/BWI6ai3
+7FLs6qfo7MA+UQTA5a0jNrKGV1TctJae4dxxEQqnr+K2+EhbqWfS88Gf5+1kWvJq
+AyUN80Nzut7MgfAKPLEnQei7mGBk+UTo3SBNqq9RQL+AcIdl5UFSApmnzOFDCdiK
+qnw9ntIoJUIh+kAUPyNZ32aow9BBRC/9ibIBbvdsvGD7ONqewqdGC0xSa4Xx+XJn
+8lBTTFryc6D6C9KrRAV/Y7choK4Rsn2GLcnuRQ8FQifxAgMBAAGjPTA7MBoGA1Ud
+EQQTMBGCCWxvY2FsaG9zdIcEfwAAATAdBgNVHQ4EFgQU6oCAZ+kJ88rox7OFt/tr
+GIYQVFYwDQYJKoZIhvcNAQELBQADggEBABvev81NhG1DR5mS4UbpEvl6NGtcDE4H
+yVKPpI3gfdJ3etZhV2FQ7nZZzQcTaqsm2IMr336s+nb4wrqDkZJ+OhYsU1OgFF3b
+DM0BJ91YUeZz/redx7naxhawHn1BKXDvseNrH9C+XKa+1maK7bCYLkZZEtiOYZku
+yD4pfBx+A+zipas3iQdLiXDkg+qoY2OmO+9bo+tvV8zzVx7V0+8L/NU8bU2d/Dgb
+IuEPKc98hVx1W1v4RndrUmcneovbBEv82Y17RUqTi42TumsYjOjx/LvdD7RKBDZw
+XVtjKL+zwuge9rQU4sZMAwN/tHanOXAfWG6/LU5RNW87b8+YcwOxMVc=
+-----END CERTIFICATE-----