[Pulp-list] Help setting permissions on roles
Lutchy Horace (Mailing List)
mailinglist.subscriptions at lhprojects.net
Sun May 1 16:46:16 UTC 2016
On Sun, 1 May 2016 09:53:29 -0400
"Lutchy Horace (Mailing List)"
<mailinglist.subscriptions at lhprojects.net> wrote:
>
> I don't mind registering clients with the admin user. However, I do
> have a concern. Do consumers need the admin password to update from
> repository? Assuming that admin password is no where stored on the
> consumer machines? And lastly, assuming the consume machine has been
> compromise, is the Pulp server at risk from pulp-consumer?
Reviewing
https://pulp.readthedocs.io/en/latest/user-guide/consumer-client/register.html.
It appears that a certificate is stored on the consumer machine:
/Once a consumer is registered, a certificate is written into its PKI:
`/etc/pki/pulp/consumer/consumer-cert.pem`
This certificate will automatically suffice for authentication against
the server’s API for all future operations until the consumer is
unregistered./
This is a bit troublesome as I am unfamiliar of the security
implications of pulp-consumer. I looked over 'pulp-consumer' command
options and it appears that is not much it can do. Although I wonder if
a malicious user on a compromise machine can use the the client
certificate to conduct malicious activities via REST API?
Regards
--
Lutchy Horace
Owner/Operator/Administrator [http://www.lhprojects.net]
Owner/Operator/Administrator [http://www.bombshellz.net]
Owner/Operator/Administrator [http://www.animehouse.club]
About Me [http://about.me/lhprojects]
USA
More information about the Pulp-list
mailing list