[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy
Dmitri Pal
dpal at redhat.com
Mon Feb 17 02:54:21 UTC 2014
On 02/16/2014 06:49 AM, Simo Sorce wrote:
> On Fri, 2014-02-14 at 16:52 -0500, Rob Crittenden wrote:
>> - listens on port 8090, only on localhost
>> - is unauthenticated
> Sorry to come late, but I am really at unease with this point.
>
> Can we do at least some form of simple authentication ? Even if it is a
> shared secret in a file accessible by both foreman and smartproxy ?
>
> Simo.
>
Simo, it is such by design.
The interface is local only and smart proxy explicitly checks that is it
called locally byt a local process.
The daemon by itself will then do a remote authenticate against IPA.
We trust Foreman machine to make the host changes and allow it to make
only these changes using access control rules on the server.
I do not think we need or can change anything here.
Any kind of authentication would significantly complicate integration
with Foreman and I frankly do not see a value in another level of
authentication.
I.e. how certs or key in the file makes it more secure? I would rather
suggest some SELInux policies that would open the REST api port to only
specific labels.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list