diff options
author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2013-08-19 09:37:59 -0400 |
---|---|---|
committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2013-08-19 09:37:59 -0400 |
commit | 6e3d93ca09048bbda6f2dd0119aaa576ed3bb743 (patch) | |
tree | 089cc93a8eb7c26215c300a306ad2e227eba3259 /doc | |
parent | ebfdc702566ca59f8bf44e49c973d54073bdea14 (diff) | |
download | bcfg2-6e3d93ca09048bbda6f2dd0119aaa576ed3bb743.tar.gz bcfg2-6e3d93ca09048bbda6f2dd0119aaa576ed3bb743.tar.bz2 bcfg2-6e3d93ca09048bbda6f2dd0119aaa576ed3bb743.zip |
Core: Added default ACLs
Since we're exposing more stuff via XML-RPC, this adds a default,
fairly restrictive ACL plugin if no other ClientACLs plugin is loaded.
This makes us secure by default.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/server/acl.txt | 41 | ||||
-rw-r--r-- | doc/server/plugins/misc/acl.txt | 33 |
2 files changed, 74 insertions, 0 deletions
diff --git a/doc/server/acl.txt b/doc/server/acl.txt new file mode 100644 index 000000000..6ea276a53 --- /dev/null +++ b/doc/server/acl.txt @@ -0,0 +1,41 @@ +.. -*- mode: rst -*- + +.. _server-access-control: + +================ + Access Control +================ + +.. versionadded:: 1.4.0 + +Bcfg2 exposes various functions via XML-RPC calls. Some of these are +relatively benign (e.g., the calls necessary to generate a client +configuration) while others can be used to inspect potentially private +data on the server or very easily mount a denial of service attack. +As a result, access control lists to limit exposure of these calls is +built in. There are two possible ACL methods: built-in, and the +:ref:`server-plugins-misc-acls` plugin. + +The built-in approach simply applies a restrictive default ACL that +lets ``localhost`` perform all XML-RPC calls, and restricts all other +machines to only the calls necessary to run the Bcfg2 client. +Specifically: + +* If the remote client is ``127.0.0.1``, the call is allowed. Note + that, depending on where your Bcfg2 server listens and how it + communicates with itself, it likely will not identify to itself as + ``localhost``. +* If the remote client is not ``127.0.0.1`` and the call is any of the + ``set_debug`` or ``toggle_debug`` methods (including + ``[toggle|set]_core_debug``), it is rejected. +* If the remote client is not ``127.0.0.1`` and the call is + ``get_statistics`` (used by ``bcfg2-admin perf``), it is rejected. +* If the remote client is not ``127.0.0.1`` and the call includes a + ``.`` -- i.e., it is dispatched to any plugin, such as + ``Packages.Refresh`` -- then it is rejected. +* Otherwise, the call is allowed. + +The built-in ACL is *only* intended to ensure that Bcfg2 is secure by +default; it will not be sufficient in many (or even most) cases. In +these cases, it's recommended that you use the +:ref:`server-plugins-misc-acls` plugin. diff --git a/doc/server/plugins/misc/acl.txt b/doc/server/plugins/misc/acl.txt index 45780bef8..226b56a44 100644 --- a/doc/server/plugins/misc/acl.txt +++ b/doc/server/plugins/misc/acl.txt @@ -200,3 +200,36 @@ could also do something like ``*.toggle_debug`` to allow a host to enable or disable debugging for all plugins. No other bash globbing is supported. + +Examples +======== + +The :ref:`default ACL list <server-access-control>` can be described +in ``ip.xml`` fairly simply: + +.. code-block:: xml + + <ACL> + <Allow address="127.0.0.1" method="*.*"/> + <Allow address="127.0.0.1" method="*"/> + <Deny method="*.*"/> + <Deny method="*_debug"/> + <Deny method="get_statistics"/> + <Allow method="*"/> + </ACL> + +A basic configuration that is still very secure but perhaps more +functional could be given in ``metadata.xml``: + +.. code-block:: xml + + <ACL> + <Group name="bcfg2-server"> + <Allow method="*.*"/> + <Allow method="*"/> + </Group> + <Deny method="*.*"/> + <Deny method="*_debug"/> + <Deny method="get_statistics"/> + <Allow method="*"/> + </ACL> |