On Sun, 2014-02-16 at 21:54 -0500, Dmitri Pal wrote:
> On 02/16/2014 06:49 AM, Simo Sorce wrote:
> > On Fri, 2014-02-14 at 16:52 -0500, Rob Crittenden wrote:
> >> - listens on port 8090, only on localhost
> >> - is unauthenticated
> > Sorry to come late, but I am really at unease with this point.
> > Can we do at least some form of simple authentication ? Even if it is a
> > shared secret in a file accessible by both foreman and smartproxy ?
> > Simo.
> Simo, it is such by design.
The design is that foreman can connect to the local proxy in a simple
way. We can do it w/o exposing completely open interfaces to the local
> The interface is local only and smart proxy explicitly checks that is it
> called locally byt a local process.
If it were using a unix socket that can be protected by permissions I
would have no qualms, but afaik this is listening on a network port on
localhost. It means *any* process can connect, they are all local.
> The daemon by itself will then do a remote authenticate against IPA.
> We trust Foreman machine to make the host changes and allow it to make
> only these changes using access control rules on the server.
> I do not think we need or can change anything here.
> Any kind of authentication would significantly complicate integration
> with Foreman and I frankly do not see a value in another level of
> I.e. how certs or key in the file makes it more secure?
By allowing only the Foreman process to successfully connect.
> I would rather suggest some SELInux policies that would open the REST api
> port to only
> specific labels.
Sure SELinux should certainly be used, but not everybody runs SELinux.
A shared file with a secret that only foreman and the proxy can access
is very simple, it can even be generated on the fly at stratup, w/o
requiring any special manual setup.
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list