mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-14 10:52:41 +01:00
fa7bb8ff7a
Summary: Ref T2783. Ref T6706. - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts. - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it. - This provides a general layer of security for these mechanisms. - In particular, it means they do not work by default on unconfigured hosts. - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it. - This provides a general layer of security for getting the Ops side of cluster configuration correct. - If cluster nodes have public IPs and are listening on them, we'll reject requests. - Basically, this means that any requests which bypass the LB get rejected. Test Plan: - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism. - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster. - With addresses configured correctly, made valid requests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6706, T2783 Differential Revision: https://secure.phabricator.com/D11159 |
||
---|---|---|
.. | ||
application | ||
capability | ||
conduit | ||
config | ||
controller | ||
customfield | ||
editor | ||
event | ||
garbagecollector | ||
lipsum | ||
markup | ||
phid | ||
query | ||
search | ||
storage | ||
typeahead | ||
view |