2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-22 17:43:14 +00:00

Add mechanism to extend authentication to remote networks

This allows user to designate certain networks to be treated as
if they were local.

This enables the initial token grant to be allowed to a remote network.

This still requires that the api be armed (which should generally be a narrow window of
opportunity) and that the
request be privileged, it
just allows remote networks to be
elevated to be as trusted as local.
This commit is contained in:
Jarrod Johnson 2022-10-25 11:26:44 -04:00
parent 5794cd5d12
commit 4864d6abb0
2 changed files with 50 additions and 1 deletions

View File

@ -25,6 +25,10 @@ import hashlib
import hmac
import os
import struct
import ctypes
import ctypes.util
libc = ctypes.CDLL(ctypes.util.find_library('c'))
# cred grant tlvs:
# 0, 0 - null
@ -36,6 +40,50 @@ import struct
# 6, len, hmac - hmac of crypted key using shared secret for long-haul support
# 128, len, len, key - sealed key
_semitrusted = []
def read_authnets(cfgpath):
with open(cfgpath, 'r') as cfgin:
_semitrusted = []
for line in cfgin.readlines:
line = line.split('#', 1)[0].strip()
if '/' not in line:
continue
subnet, prefix = line.split('/')
_semitrusted.append((subnet, prefix))
def watch_trusted():
while True:
watcher = libc.inotify_init1(os.O_NONBLOCK)
cfgpath = '/etc/confluent/auth_nets'
if not os.path.exists(cfgpath):
with open(cfgpath, 'w') as cfgout:
cfgout.write(
'# This is a list of networks in addition to local\n'
'# networks to allow grant of initial deployment token,\n'
'# when a node has deployment API armed\n')
read_authnets(cfgpath)
if libc.inotify_add_watch(watcher, cfgpath, 0xcc2) <= -1:
eventlet.sleep(15)
continue
select.select((watcher,), (), (), 86400)
try:
os.read(watcher, 1024)
except Exception:
pass
os.close(watcher)
def address_is_somewhat_trusted(address):
for authnet in _semitrusted:
if netutil.ip_on_same_subnet(address, authnet[0], authnet[1]):
return True
if netutil.address_is_local(address):
return True
return False
class CredServer(object):
def __init__(self):
self.cfm = cfm.ConfigManager(None)
@ -60,7 +108,7 @@ class CredServer(object):
elif tlv[1]:
client.recv(tlv[1])
if not hmackey:
if not netutil.address_is_local(peer[0]):
if not address_is_somewhat_trusted(peer[0]):
client.close()
return
apimats = self.cfm.get_node_attributes(nodename,

View File

@ -496,6 +496,7 @@ class SockApi(object):
self.start_remoteapi()
else:
eventlet.spawn_n(self.watch_for_cert)
eventlet.spawn_n(credserver.watch_trusted)
eventlet.spawn_n(self.watch_resolv)
self.unixdomainserver = eventlet.spawn(_unixdomainhandler)