On 02/16/2014 06:49 AM, Simo Sorce wrote:
On Fri, 2014-02-14 at 16:52 -0500, Rob Crittenden wrote:
- listens on port 8090, only on localhost
- is unauthenticated
Sorry to come late, but I am really at unease with this point.

Can we do at least some form of simple authentication ? Even if it is a
shared secret in a file accessible by both foreman and smartproxy ?


Simo, it is such by design.
The interface is local only and smart proxy explicitly checks that is it called locally byt a local process.
The daemon by itself will then do a remote authenticate against IPA.
We trust Foreman machine to make the host changes and allow it to make only these changes using access control rules on the server.
I do not think we need or can change anything here.
Any kind of authentication would significantly complicate integration with Foreman and I frankly do not see a value in another level of authentication. I.e. how certs or key in the file makes it more secure? I would rather suggest some SELInux policies that would open the REST api port to only specific labels.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to