Add `cluster.addresses` and require membership before accepting cluster authentication tokens
Summary:
Ref T2783. Ref T6706.
- Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts.
- When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it.
- This provides a general layer of security for these mechanisms.
- In particular, it means they do not work by default on unconfigured hosts.
- When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it.
- This provides a general layer of security for getting the Ops side of cluster configuration correct.
- If cluster nodes have public IPs and are listening on them, we'll reject requests.
- Basically, this means that any requests which bypass the LB get rejected.
Test Plan:
- With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism.
- With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster.
- With addresses configured correctly, made valid requests.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T6706, T2783
Differential Revision: https://secure.phabricator.com/D11159
2015-01-03 00:13:41 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
final class PhabricatorClusterConfigOptions
|
|
|
|
extends PhabricatorApplicationConfigOptions {
|
|
|
|
|
|
|
|
public function getName() {
|
|
|
|
return pht('Cluster Setup');
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getDescription() {
|
|
|
|
return pht('Configure Phabricator to run on a cluster of hosts.');
|
|
|
|
}
|
|
|
|
|
2016-01-28 17:40:22 +01:00
|
|
|
public function getIcon() {
|
2015-02-02 19:17:25 +01:00
|
|
|
return 'fa-sitemap';
|
|
|
|
}
|
|
|
|
|
2015-02-09 22:10:56 +01:00
|
|
|
public function getGroup() {
|
|
|
|
return 'core';
|
|
|
|
}
|
|
|
|
|
Add `cluster.addresses` and require membership before accepting cluster authentication tokens
Summary:
Ref T2783. Ref T6706.
- Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts.
- When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it.
- This provides a general layer of security for these mechanisms.
- In particular, it means they do not work by default on unconfigured hosts.
- When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it.
- This provides a general layer of security for getting the Ops side of cluster configuration correct.
- If cluster nodes have public IPs and are listening on them, we'll reject requests.
- Basically, this means that any requests which bypass the LB get rejected.
Test Plan:
- With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism.
- With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster.
- With addresses configured correctly, made valid requests.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T6706, T2783
Differential Revision: https://secure.phabricator.com/D11159
2015-01-03 00:13:41 +01:00
|
|
|
public function getOptions() {
|
|
|
|
return array(
|
|
|
|
$this->newOption('cluster.addresses', 'list<string>', array())
|
|
|
|
->setLocked(true)
|
|
|
|
->setSummary(pht('Address ranges of cluster hosts.'))
|
|
|
|
->setDescription(
|
|
|
|
pht(
|
|
|
|
'To allow Phabricator nodes to communicate with other nodes '.
|
|
|
|
'in the cluster, provide an address whitelist of hosts that '.
|
|
|
|
'are part of the cluster.'.
|
|
|
|
"\n\n".
|
|
|
|
'Hosts on this whitelist are permitted to use special cluster '.
|
|
|
|
'mechanisms to authenticate requests. By default, these '.
|
|
|
|
'mechanisms are disabled.'.
|
|
|
|
"\n\n".
|
|
|
|
'Define a list of CIDR blocks which whitelist all hosts in the '.
|
|
|
|
'cluster. See the examples below for details.',
|
|
|
|
"\n\n".
|
|
|
|
'When cluster addresses are defined, Phabricator hosts will also '.
|
|
|
|
'reject requests to interfaces which are not whitelisted.'))
|
|
|
|
->addExample(
|
|
|
|
array(
|
|
|
|
'23.24.25.80/32',
|
|
|
|
'23.24.25.81/32',
|
|
|
|
),
|
|
|
|
pht('Whitelist Specific Addresses'))
|
|
|
|
->addExample(
|
|
|
|
array(
|
|
|
|
'1.2.3.0/24',
|
|
|
|
),
|
|
|
|
pht('Whitelist 1.2.3.*'))
|
|
|
|
->addExample(
|
|
|
|
array(
|
|
|
|
'1.2.0.0/16',
|
|
|
|
),
|
|
|
|
pht('Whitelist 1.2.*.*'))
|
|
|
|
->addExample(
|
|
|
|
array(
|
|
|
|
'0.0.0.0/0',
|
|
|
|
),
|
|
|
|
pht('Allow Any Host (Insecure!)')),
|
2015-01-27 23:51:48 +01:00
|
|
|
$this->newOption('cluster.instance', 'string', null)
|
|
|
|
->setLocked(true)
|
|
|
|
->setSummary(pht('Instance identifier for multi-tenant clusters.'))
|
|
|
|
->setDescription(
|
|
|
|
pht(
|
|
|
|
'WARNING: This is a very advanced option, and only useful for '.
|
|
|
|
'hosting providers running multi-tenant clusters.'.
|
|
|
|
"\n\n".
|
|
|
|
'If you provide an instance identifier here (normally by '.
|
2015-05-22 09:27:56 +02:00
|
|
|
'injecting it with a `%s`), Phabricator will pass it to '.
|
|
|
|
'subprocesses and commit hooks in the `%s` environmental variable.',
|
|
|
|
'PhabricatorConfigSiteSource',
|
|
|
|
'PHABRICATOR_INSTANCE')),
|
Add `cluster.addresses` and require membership before accepting cluster authentication tokens
Summary:
Ref T2783. Ref T6706.
- Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts.
- When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it.
- This provides a general layer of security for these mechanisms.
- In particular, it means they do not work by default on unconfigured hosts.
- When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it.
- This provides a general layer of security for getting the Ops side of cluster configuration correct.
- If cluster nodes have public IPs and are listening on them, we'll reject requests.
- Basically, this means that any requests which bypass the LB get rejected.
Test Plan:
- With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism.
- With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster.
- With addresses configured correctly, made valid requests.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley
Maniphest Tasks: T6706, T2783
Differential Revision: https://secure.phabricator.com/D11159
2015-01-03 00:13:41 +01:00
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|