Forum: CFEngine Help
Subject: Allowing access to a subdirectory only from similarly named host
Author: sauer
Link to topic: https://cfengine.com/forum/read.php?3,23884,23884#msg-23884
I have a situation where I only want to allow access to, say,
/config/test/perserver/servername/ from a server named servername. If server2
tries to pull down servername's config, it should be denied. The config will
include things like, say, the pre-encrypted root password, ssh host keys, ssl
keys, etc - stuff that should not be disclosed outside of one system..
However, I'm having difficulty figuring out a good way to basically just use
the last component of the directory as the only allowed hostname.
I can't realistically pre-define an slist of hosts, as there are several
thousand of them, and the list changes daily. I'm considering the option of
doing a find command to build the list, but that seems like a kludge. What I'd
ideally do is something along the lines of
"/config/*/perserver/*"
admit => { lastnode("$(this.promiser)") };
Under /config, I basically have something like test/ and production/, for
staged deployment (I'd rather not put that in a hard-coded slist, either, for
reasons we'll ignore for now). So I guess I could do a find with a fixed
depth, build a list of all the directories, and call that as a module. But I'm
not sure how well that'll work with the server process. I'm also not sure how
that would be refreshed in either case - if I add a new directory, do I have to
restart the server process for it to work?
Anyone got any input on this? :)
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
