From 6e3d93ca09048bbda6f2dd0119aaa576ed3bb743 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Mon, 19 Aug 2013 09:37:59 -0400 Subject: Core: Added default ACLs Since we're exposing more stuff via XML-RPC, this adds a default, fairly restrictive ACL plugin if no other ClientACLs plugin is loaded. This makes us secure by default. --- doc/server/acl.txt | 41 +++++++++++++++++++++++++++++++++++++++++ doc/server/plugins/misc/acl.txt | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 doc/server/acl.txt (limited to 'doc') diff --git a/doc/server/acl.txt b/doc/server/acl.txt new file mode 100644 index 000000000..6ea276a53 --- /dev/null +++ b/doc/server/acl.txt @@ -0,0 +1,41 @@ +.. -*- mode: rst -*- + +.. _server-access-control: + +================ + Access Control +================ + +.. versionadded:: 1.4.0 + +Bcfg2 exposes various functions via XML-RPC calls. Some of these are +relatively benign (e.g., the calls necessary to generate a client +configuration) while others can be used to inspect potentially private +data on the server or very easily mount a denial of service attack. +As a result, access control lists to limit exposure of these calls is +built in. There are two possible ACL methods: built-in, and the +:ref:`server-plugins-misc-acls` plugin. + +The built-in approach simply applies a restrictive default ACL that +lets ``localhost`` perform all XML-RPC calls, and restricts all other +machines to only the calls necessary to run the Bcfg2 client. +Specifically: + +* If the remote client is ``127.0.0.1``, the call is allowed. Note + that, depending on where your Bcfg2 server listens and how it + communicates with itself, it likely will not identify to itself as + ``localhost``. +* If the remote client is not ``127.0.0.1`` and the call is any of the + ``set_debug`` or ``toggle_debug`` methods (including + ``[toggle|set]_core_debug``), it is rejected. +* If the remote client is not ``127.0.0.1`` and the call is + ``get_statistics`` (used by ``bcfg2-admin perf``), it is rejected. +* If the remote client is not ``127.0.0.1`` and the call includes a + ``.`` -- i.e., it is dispatched to any plugin, such as + ``Packages.Refresh`` -- then it is rejected. +* Otherwise, the call is allowed. + +The built-in ACL is *only* intended to ensure that Bcfg2 is secure by +default; it will not be sufficient in many (or even most) cases. In +these cases, it's recommended that you use the +:ref:`server-plugins-misc-acls` plugin. diff --git a/doc/server/plugins/misc/acl.txt b/doc/server/plugins/misc/acl.txt index 45780bef8..226b56a44 100644 --- a/doc/server/plugins/misc/acl.txt +++ b/doc/server/plugins/misc/acl.txt @@ -200,3 +200,36 @@ could also do something like ``*.toggle_debug`` to allow a host to enable or disable debugging for all plugins. No other bash globbing is supported. + +Examples +======== + +The :ref:`default ACL list ` can be described +in ``ip.xml`` fairly simply: + +.. code-block:: xml + + + + + + + + + + +A basic configuration that is still very secure but perhaps more +functional could be given in ``metadata.xml``: + +.. code-block:: xml + + + + + + + + + + + -- cgit v1.2.3-1-g7c22