Feature #1169

Reports and Fact POST, and GET for Host ENC Yaml, should accept Authentication.

Added by Bash Shell almost 7 years ago. Updated about 5 years ago.

Status:Closed
Priority:Normal
Assignee:-
Category:-
Target version:-
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link: Found in Releases:
Pull request:

Description

Currently, anyone can post Facts and Reports to the Foreman url.

This needs to be secured, by using authentication.

Same goes for GET for Host YML for ENC.

History

#1 Updated by Ohad Levy over 6 years ago

  • Tracker changed from Bug to Feature

#2 Updated by Anselm Strauss over 6 years ago

+1

Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.

#3 Updated by Ohad Levy over 6 years ago

Anselm Strauss wrote:

+1

Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.

Yes, I'm guessing we can restrict in two ways:
  1. limit the ip address that can reach foreman for those actions
  2. require a certificate verified connection for those urls.

the first option is fairly trivial, and can be done via apache or foreman, however the second one imho, needs to happen on apache (or your web service) level, as thats actually doing the certificate validations.

#4 Updated by Bash Shell over 6 years ago

Another option is to allow ENC/Reports/Facts to POST using Authentication?

There could be setting(s) for this?

Anything wrong with this idea? It seems simplest.

#5 Updated by Benjamin Papillon about 5 years ago

  • Status changed from New to Closed

It has been successfully implemented with SSL certificates since Foreman 1.1.

Also available in: Atom PDF