[Freeipa-devel] [PATCH] 1106 IPA REST smart proxy

[Simo Sorce]

On Sun, 2014-02-16 at 21:54 -0500, Dmitri Pal wrote:
> On 02/16/2014 06:49 AM, Simo Sorce wrote:
> > On Fri, 2014-02-14 at 16:52 -0500, Rob Crittenden wrote:
> >> - listens on port 8090, only on localhost
> >> - is unauthenticated
> > Sorry to come late, but I am really at unease with this point.
> >
> > Can we do at least some form of simple authentication ? Even if it is a
> > shared secret in a file accessible by both foreman and smartproxy ?
> >
> > Simo.
> >
> Simo, it is such by design.

The design is that foreman can connect to the local proxy in a simple
way. We can do it w/o exposing completely open interfaces to the local
host.

> The interface is local only and smart proxy explicitly checks that is it 
> called locally byt a local process.

If it were using a unix socket that can be protected by permissions I
would have no qualms, but afaik this is listening on a network port on
localhost. It means *any* process can connect, they are all local.

> The daemon by itself will then do a remote authenticate against IPA.
> We trust Foreman machine to make the host changes and allow it to make 
> only these changes using access control rules on the server.
> I do not think we need or can change anything here.
> Any kind of authentication would significantly complicate integration 
> with Foreman and I frankly do not see a value in another level of 
> authentication.
> I.e. how certs or key in the file makes it more secure?

By allowing only the Foreman process to successfully connect.

> I would rather suggest some SELInux policies that would open the REST api port to only 
> specific labels.

Sure SELinux should certainly be used, but not everybody runs SELinux.
A shared file with a secret that only foreman and the proxy can access
is very simple, it can even be generated on the fly at stratup, w/o
requiring any special manual setup.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York