Feature #1169
closed
Reports and Fact POST, and GET for Host ENC Yaml, should accept Authentication.
Added by Bash Shell over 13 years ago.
Updated over 11 years ago.
Description
Currently, anyone can post Facts and Reports to the Foreman url.
This needs to be secured, by using authentication.
Same goes for GET for Host YML for ENC.
- Tracker changed from Bug to Feature
+1
Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.
Anselm Strauss wrote:
+1
Although you should not be able to modify the configuration of hosts you can still falsify information about puppet clients on the foreman server. And you can read possibly critical information about clients from the server. Maybe the same secure mechanism as for the communication between puppet agents and the master and between foreman and the smart proxy could be used? Certificate management is there as should be some already working ruby code.
Yes, I'm guessing we can restrict in two ways:
- limit the ip address that can reach foreman for those actions
- require a certificate verified connection for those urls.
the first option is fairly trivial, and can be done via apache or foreman, however the second one imho, needs to happen on apache (or your web service) level, as thats actually doing the certificate validations.
Another option is to allow ENC/Reports/Facts to POST using Authentication?
There could be setting(s) for this?
Anything wrong with this idea? It seems simplest.
- Status changed from New to Closed
It has been successfully implemented with SSL certificates since Foreman 1.1.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by