-
Type:
Task
-
Status: Done
-
Priority:
High
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 3.6.0
-
Component/s: Documentation
-
Labels:None
This needs to go into the docs, together with practical examples:
<pre>
CMDB integration.
Bundle server access_rules can now accept new constraints for each
entry: "admit_ips", "admit_hostnames", "admit_keys". Previous generic
"admit" constraint is deprecated, and the new ones do not accept generic
regular expression like it used to be the case.
The new thing is mostly in admit_keys. We can restrict specific files to
be accessible to specific hosts, not based on their IP address or
hostname, but based on their RSA key.
If the resource_type is "path" (default) then the promiser can now be a
path containing the special string "$(connection.ip)"
"$(connection.fqdn)" "$(connection.key)". By writing an access rule like
that, we can allow host-specific filenames to be accessible only to the
relevant hosts. Example:
"/var/cfengine/cmdb/$(connection.key).json"
shortcut => "me.json",
admit_keys =>
;
Moreover, notice the new "shortcut" constraint. This allows the agent to
request a file by its shortcut, and expansion is taking place on the
server according to this constraint in bundle server access_rules. This
is only for ease of use, a file can always be requested with its
absolute path.
The server tries to find an expansion for the first part of every
non-absolute (a.k.a. relative...) request path. E.g. the source file
"masterdir/failsafe.cf" will be served by the server, only if you have
defined an ACL entry with shortcut=>"masterdir".
</pre>