mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-26 11:30:23 +00:00
Add mechanism to extend authentication to remote networks
This allows user to designate certain networks to be treated as if they were local. This enables the initial token grant to be allowed to a remote network. This still requires that the api be armed (which should generally be a narrow window of opportunity) and that the request be privileged, it just allows remote networks to be elevated to be as trusted as local.
This commit is contained in:
parent
5794cd5d12
commit
4864d6abb0
@ -25,6 +25,10 @@ import hashlib
|
||||
import hmac
|
||||
import os
|
||||
import struct
|
||||
import ctypes
|
||||
import ctypes.util
|
||||
|
||||
libc = ctypes.CDLL(ctypes.util.find_library('c'))
|
||||
|
||||
# cred grant tlvs:
|
||||
# 0, 0 - null
|
||||
@ -36,6 +40,50 @@ import struct
|
||||
# 6, len, hmac - hmac of crypted key using shared secret for long-haul support
|
||||
# 128, len, len, key - sealed key
|
||||
|
||||
_semitrusted = []
|
||||
|
||||
def read_authnets(cfgpath):
|
||||
with open(cfgpath, 'r') as cfgin:
|
||||
_semitrusted = []
|
||||
for line in cfgin.readlines:
|
||||
line = line.split('#', 1)[0].strip()
|
||||
if '/' not in line:
|
||||
continue
|
||||
subnet, prefix = line.split('/')
|
||||
_semitrusted.append((subnet, prefix))
|
||||
|
||||
|
||||
def watch_trusted():
|
||||
while True:
|
||||
watcher = libc.inotify_init1(os.O_NONBLOCK)
|
||||
cfgpath = '/etc/confluent/auth_nets'
|
||||
if not os.path.exists(cfgpath):
|
||||
with open(cfgpath, 'w') as cfgout:
|
||||
cfgout.write(
|
||||
'# This is a list of networks in addition to local\n'
|
||||
'# networks to allow grant of initial deployment token,\n'
|
||||
'# when a node has deployment API armed\n')
|
||||
read_authnets(cfgpath)
|
||||
if libc.inotify_add_watch(watcher, cfgpath, 0xcc2) <= -1:
|
||||
eventlet.sleep(15)
|
||||
continue
|
||||
select.select((watcher,), (), (), 86400)
|
||||
try:
|
||||
os.read(watcher, 1024)
|
||||
except Exception:
|
||||
pass
|
||||
os.close(watcher)
|
||||
|
||||
|
||||
|
||||
def address_is_somewhat_trusted(address):
|
||||
for authnet in _semitrusted:
|
||||
if netutil.ip_on_same_subnet(address, authnet[0], authnet[1]):
|
||||
return True
|
||||
if netutil.address_is_local(address):
|
||||
return True
|
||||
return False
|
||||
|
||||
class CredServer(object):
|
||||
def __init__(self):
|
||||
self.cfm = cfm.ConfigManager(None)
|
||||
@ -60,7 +108,7 @@ class CredServer(object):
|
||||
elif tlv[1]:
|
||||
client.recv(tlv[1])
|
||||
if not hmackey:
|
||||
if not netutil.address_is_local(peer[0]):
|
||||
if not address_is_somewhat_trusted(peer[0]):
|
||||
client.close()
|
||||
return
|
||||
apimats = self.cfm.get_node_attributes(nodename,
|
||||
|
@ -496,6 +496,7 @@ class SockApi(object):
|
||||
self.start_remoteapi()
|
||||
else:
|
||||
eventlet.spawn_n(self.watch_for_cert)
|
||||
eventlet.spawn_n(credserver.watch_trusted)
|
||||
eventlet.spawn_n(self.watch_resolv)
|
||||
self.unixdomainserver = eventlet.spawn(_unixdomainhandler)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user