diff options
| -rw-r--r-- | doc/appendix/guides/authentication.txt | 33 | ||||
| -rw-r--r-- | doc/server/plugins/grouping/metadata.txt | 4 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Options.py | 8 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Metadata.py | 32 |
4 files changed, 44 insertions, 33 deletions
diff --git a/doc/appendix/guides/authentication.txt b/doc/appendix/guides/authentication.txt index 3fd0e1e2d..b8ec82590 100644 --- a/doc/appendix/guides/authentication.txt +++ b/doc/appendix/guides/authentication.txt @@ -132,13 +132,26 @@ controlled through the use of the auth attribute in Allowed values are: - +---------------+------------------------------------------+ - | **Auth Type** | **Meaning** | - +===============+==========================================+ - | cert | Certificates must be used | - +---------------+------------------------------------------+ - | cert+password | Certificate or password may be used | - +---------------+------------------------------------------+ - | bootstrap | Password can be used for one client run, | - | | after that certificate is required | - +---------------+------------------------------------------+ ++-------------------+------------------------------------------+ +| Auth Type | Meaning | ++===================+==========================================+ +| ``cert`` | Certificates must be used | ++-------------------+------------------------------------------+ +| ``cert+password`` | Certificate or password may be used. If | +| | a certificate is used, the password must | +| | also be used. | ++-------------------+------------------------------------------+ +| ``bootstrap`` | Password can be used for one client run, | +| | after that only certificate is allowed | ++-------------------+------------------------------------------+ + +``cert+password`` is the default. This can be changed by setting the +``authentication`` parameter in the ``[communcation]`` section of +``bcfg2.conf``. For instance, to set ``bootstrap`` mode as the global +default, you would add the following to ``bcfg2.conf``:: + + [communication] + authentication = bootstrap + +``bootstrap`` mode is currently incompatible with the +:ref:`server-plugins-grouping-metadata-clients-database`. diff --git a/doc/server/plugins/grouping/metadata.txt b/doc/server/plugins/grouping/metadata.txt index 11b3d5496..f4c5cbcb3 100644 --- a/doc/server/plugins/grouping/metadata.txt +++ b/doc/server/plugins/grouping/metadata.txt @@ -32,7 +32,7 @@ clients.xml =========== The ``clients.xml`` file contains the mappings of Profile Groups -to clients. The file is just a series of *<Client />* tags, each of which +to clients. The file is just a series of ``<Client />`` tags, each of which describe one host. A sample file is below: .. code-block:: xml @@ -43,7 +43,7 @@ describe one host. A sample file is below: <Client profile="kerberos-master" name="kdc.example.com"/> <Client profile="mail-server" name="mail.example.com"/> <Client name='foo' address='10.0.0.1'> - <Alias name='foo-mgmt' address='10.1.0.1'/> + <Alias name='foo-mgmt' address='10.1.0.1'/> </Client> </Clients> diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py index 07d089f05..be3a4c7b3 100644 --- a/src/lib/Bcfg2/Options.py +++ b/src/lib/Bcfg2/Options.py @@ -582,6 +582,11 @@ SERVER_UMASK = \ default='0077', odesc='<Server umask>', cf=('server', 'umask')) +SERVER_AUTHENTICATION = \ + Option('Default client authentication method', + default='cert+password', + odesc='{cert|bootstrap|cert+password}', + cf=('communication', 'authentication')) # database options DB_ENGINE = \ @@ -1115,7 +1120,8 @@ SERVER_COMMON_OPTIONS = dict(repo=SERVER_REPOSITORY, protocol=SERVER_PROTOCOL, web_configfile=WEB_CFILE, backend=SERVER_BACKEND, - vcs_root=SERVER_VCS_ROOT) + vcs_root=SERVER_VCS_ROOT, + authentication=SERVER_AUTHENTICATION) CRYPT_OPTIONS = dict(encrypt=ENCRYPT, decrypt=DECRYPT, diff --git a/src/lib/Bcfg2/Server/Plugins/Metadata.py b/src/lib/Bcfg2/Server/Plugins/Metadata.py index df98e6ea8..bd02739d5 100644 --- a/src/lib/Bcfg2/Server/Plugins/Metadata.py +++ b/src/lib/Bcfg2/Server/Plugins/Metadata.py @@ -677,8 +677,7 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, self.raddresses[clname] = set() self.raddresses[clname].add(caddr) if 'auth' in client.attrib: - self.auth[client.get('name')] = client.get('auth', - 'cert+password') + self.auth[client.get('name')] = client.get('auth') if 'uuid' in client.attrib: self.uuid[client.get('uuid')] = clname if client.get('secure', 'false').lower() == 'true': @@ -1192,7 +1191,8 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # look at cert.cN client = certinfo['commonName'] self.debug_log("Got cN %s; using as client name" % client) - auth_type = self.auth.get(client, 'cert+password') + auth_type = self.auth.get(client, + self.core.setup['authentication']) elif user == 'root': id_method = 'address' try: @@ -1215,12 +1215,8 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, self.debug_log("Authenticating client %s" % client) # next we validate the address - if id_method == 'uuid': - addr_is_valid = True - else: - addr_is_valid = self.validate_client_address(client, address) - - if not addr_is_valid: + if (id_method != 'uuid' and + not self.validate_client_address(client, address)): return False if id_method == 'cert' and auth_type != 'cert+password': @@ -1230,23 +1226,19 @@ class Metadata(Bcfg2.Server.Plugin.Metadata, # we are done if cert+password not required return True - if client not in self.passwords: - if client in self.secure: - self.logger.error("Client %s in secure mode but has no " - "password" % address[0]) - return False - if password != self.password: - self.logger.error("Client %s used incorrect global password" % - address[0]) - return False + if client not in self.passwords and client in self.secure: + self.logger.error("Client %s in secure mode but has no password" % + address[0]) + return False + if client not in self.secure: if client in self.passwords: plist = [self.password, self.passwords[client]] else: plist = [self.password] if password not in plist: - self.logger.error("Client %s failed to use either allowed " - "password" % address[0]) + self.logger.error("Client %s failed to use an allowed password" + % address[0]) return False else: # client in secure mode and has a client password |