Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3448

Allow restricting copy_from sources by key (copyfrom_restrict_keys)

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.20.0
    • Component/s: cf-agent
    • Labels:
      None
    • Story Points:
      3

      Description

      When we have a policy server that fetches files itself from another policy server, it seems there is currently no way to ensure we are talking to the right server, as trust is established with all served nodes. One of the trusted served nodes could take the upstream policy server's IP (or poison DNS) and the policy server would copy files without error, allowing it to take control of all served nodes.

      This PR proposes a new setting global to the agent allowing to restrict by key the set of servers we can copy_from. It acts more or less like an admit_key for client side.

      It is usable with:

      body agent control {
        copyfrom_restrict_keys => { "MD5=9a779d955ea244a9ab7c03dcacad75e6" };
      }
      

        Attachments

          Release management

            Issue Links

              Activity

                People

                Assignee:
                vpodzime Vratislav Podzimek
                Reporter:
                amousset Alexis Mousset
                Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: