Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-1661

admit_ips doesn't work as expected

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.2
    • Component/s: cf-serverd
    • Labels:
      None

      Description

      Hello.

      It seems that regardless of what's in admit_ips, clients are being denied. That includes IP address with and without mask and 0.0.0.0/0. Here is example of configuration (the rest is no different from default configuration found in Debian package cfengine-community version 3.6.1-1 at your repository):

      <pre>
      def.cf:

      bundle common def

      {

      vars:

      any::
      [...]
      "trustkeysfrom" slist =>

      { # "0.0.0.0/0", }

      ,

      "trusted_ips" slist =>

      { "10.0.0.2", # "0.0.0.0/0", }

      ,
      comment => "Trusted IPs";
      [...]
      }

      controls/cf_serverd.cf:

      bundle server access_rules()

      {
      vars:
      enterprise::
      "query_types" slist =>

      {"delta", "rebase", "full"}

      ;

      access:

      any::

      "$(def.dir_masterfiles)"
      handle => "server_access_grant_access_policy",
      comment => "Grant access to the policy updates",
      admit_ips =>

      { @(def.trusted_ips) }

      ;
      [...]
      }
      </pre>

      Clients are being denied with:
      <pre>
      2014-08-27T18:09:05+0000 info: 10.0.0.2> Accepting connection
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> Setting socket timeout to 600 seconds.
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> Peeked CAUTH in TCP stream, considering the protocol as Classic
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> Peer's identity is: MD5=2eb0fab257853f9b7093a3ecffac1788
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> A public key was already known from vm3/10.0.0.2 - no trust required
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> The public key identity was confirmed as root@vm3
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> Authentication of client vm3/10.0.0.2 achieved
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> Filename /var/cfengine/masterfiles is resolved to /var/cfengine/masterfiles
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> Found a matching rule in access list (/var/cfengine/masterfiles in /var/cfengine/masterfiles)
      2014-08-27T18:09:05+0000 info: 10.0.0.2> Host vm3 denied access to /var/cfengine/masterfiles
      2014-08-27T18:09:05+0000 info: 10.0.0.2> Access control in sync
      2014-08-27T18:09:05+0000 verbose: 10.0.0.2> REFUSAL to (user=root,ip=10.0.0.2) of request: SYNCH 1409162975 STAT /var/cfengine/masterfiles
      2014-08-27T18:09:05+0000 info: 10.0.0.2> Closed connection, terminating thread
      </pre>

        Attachments

          Activity

            People

            • Assignee:
              a10050 Edward Welbourne (Inactive)
              Reporter:
              egor E M
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Summary Panel