Project

General

Profile

Actions

Feature #1169

closed

Reports and Fact POST, and GET for Host ENC Yaml, should accept Authentication.

Added by Bash Shell over 12 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Currently, anyone can post Facts and Reports to the Foreman url.

This needs to be secured, by using authentication.

Same goes for GET for Host YML for ENC.

Actions #1

Updated by Ohad Levy about 12 years ago

  • Tracker changed from Bug to Feature
Actions #2

Updated by Anselm Strauss about 12 years ago

+1

Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.

Actions #3

Updated by Ohad Levy about 12 years ago

Anselm Strauss wrote:

+1

Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.

Yes, I'm guessing we can restrict in two ways:
  1. limit the ip address that can reach foreman for those actions
  2. require a certificate verified connection for those urls.

the first option is fairly trivial, and can be done via apache or foreman, however the second one imho, needs to happen on apache (or your web service) level, as thats actually doing the certificate validations.

Actions #4

Updated by Bash Shell about 12 years ago

Another option is to allow ENC/Reports/Facts to POST using Authentication?

There could be setting(s) for this?

Anything wrong with this idea? It seems simplest.

Actions #5

Updated by Benjamin Papillon almost 11 years ago

  • Status changed from New to Closed

It has been successfully implemented with SSL certificates since Foreman 1.1.

Actions

Also available in: Atom PDF