Project

General

Profile

Feature #1169

Reports and Fact POST, and GET for Host ENC Yaml, should accept Authentication.

Added by Bash Shell about 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Currently, anyone can post Facts and Reports to the Foreman url.

This needs to be secured, by using authentication.

Same goes for GET for Host YML for ENC.

History

#1 Updated by Ohad Levy almost 7 years ago

  • Tracker changed from Bug to Feature

#2 Updated by Anselm Strauss over 6 years ago

+1

Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.

#3 Updated by Ohad Levy over 6 years ago

Anselm Strauss wrote:

+1

Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.

Yes, I'm guessing we can restrict in two ways:
  1. limit the ip address that can reach foreman for those actions
  2. require a certificate verified connection for those urls.

the first option is fairly trivial, and can be done via apache or foreman, however the second one imho, needs to happen on apache (or your web service) level, as thats actually doing the certificate validations.

#4 Updated by Bash Shell over 6 years ago

Another option is to allow ENC/Reports/Facts to POST using Authentication?

There could be setting(s) for this?

Anything wrong with this idea? It seems simplest.

#5 Updated by Benjamin Papillon over 5 years ago

  • Status changed from New to Closed

It has been successfully implemented with SSL certificates since Foreman 1.1.

Also available in: Atom PDF