[CFE-3448] Allow restricting copy_from sources by key (copyfrom_restrict_keys) - Northern.tech AS

XML

Word

Printable

Details

Type: Story
Status: Done
Priority: High
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.20.0
Component/s: cf-agent
Labels:
None

Story Points:
3

Description

When we have a policy server that fetches files itself from another policy server, it seems there is currently no way to ensure we are talking to the right server, as trust is established with all served nodes. One of the trusted served nodes could take the upstream policy server's IP (or poison DNS) and the policy server would copy files without error, allowing it to take control of all served nodes.

This PR proposes a new setting global to the agent allowing to restrict by key the set of servers we can copy_from. It acts more or less like an admit_key for client side.

It is usable with:

body agent control {
  copyfrom_restrict_keys => { "MD5=9a779d955ea244a9ab7c03dcacad75e6" };
}

Attachments

Release management

Issue Links

relates to

CFE-3923 Allow cf-agent to limit the hosts from which it can copy based on ip address

Open

CFE-3924 Allow cf-agent to limit the hosts from which it can copy based on hostname

Open

CFE-3926 Documentation for copyfrom_restrict_keys

Done

Activity

People

Assignee:: Vratislav Podzimek

Reporter:: Alexis Mousset

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 06/Oct/20 7:12 PM

Updated:: 01/Apr/22 5:53 PM

Resolved:: 24/Feb/22 3:12 PM