Homec4science

Add `cluster.addresses` and require membership before accepting cluster…

Authored by epriestley <git@epriestley.com> on Jan 3 2015, 00:13.

Description

Add cluster.addresses and require membership before accepting cluster authentication tokens

Summary:
Ref T2783. Ref T6706.

  • Add cluster.addresses. This is a whitelist of CIDR blocks which define cluster hosts.
  • When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it.
    • This provides a general layer of security for these mechanisms.
    • In particular, it means they do not work by default on unconfigured hosts.
  • When cluster addresses are configured, and we receive a request to an address not on the list, reject it.
    • This provides a general layer of security for getting the Ops side of cluster configuration correct.
    • If cluster nodes have public IPs and are listening on them, we'll reject requests.
    • Basically, this means that any requests which bypass the LB get rejected.

Test Plan:

  • With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism.
  • With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster.
  • With addresses configured correctly, made valid requests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6706, T2783

Differential Revision: https://secure.phabricator.com/D11159

Details

Committed
epriestley <git@epriestley.com>Jan 3 2015, 00:13
Pushed
aubortJan 31 2017, 17:16
Parents
rPHc84b9d408cb5: Add `bin/almanac register` to associate a host with an Almanac device and trust…
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHfa7bb8ff7a50: Add `cluster.addresses` and require membership before accepting cluster… (authored by epriestley <git@epriestley.com>).Jan 3 2015, 00:13