On 02/16/2014 06:49 AM, Simo Sorce wrote:
On Fri, 2014-02-14 at 16:52 -0500, Rob Crittenden wrote:
- listens on port 8090, only on localhost
- is unauthenticated
Sorry to come late, but I am really at unease with this point.

Can we do at least some form of simple authentication ? Even if it is a
shared secret in a file accessible by both foreman and smartproxy ?

Simo.

Simo, it is such by design.
The interface is local only and smart proxy explicitly checks that is it called locally byt a local process.
The daemon by itself will then do a remote authenticate against IPA.
We trust Foreman machine to make the host changes and allow it to make only these changes using access control rules on the server.
I do not think we need or can change anything here.
Any kind of authentication would significantly complicate integration with Foreman and I frankly do not see a value in another level of authentication. I.e. how certs or key in the file makes it more secure? I would rather suggest some SELInux policies that would open the REST api port to only specific labels.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to