Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3448

Allow restricting copy_from sources by key

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Open
    • Priority: (None)
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: cf-agent
    • Labels:
      None

      Description

      When we have a policy server that fetches files itself from another policy server, it seems there is currently no way to ensure we are talking to the right server, as trust is established with all served nodes. One of the trusted served nodes could take the upstream policy server's IP (or poison DNS) and the policy server would copy files without error, allowing it to take control of all served nodes.

      This PR proposes a new setting global to the agent allowing to restrict by key the set of servers we can copy_from. It acts more or less like an admit_key for client side.

      It is usable with:

      body agent control {
        copyfrom_restrict_keys => { "MD5=9a779d955ea244a9ab7c03dcacad75e6" };
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              amousset Alexis Mousset
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:

                Summary Panel