Hey all,
I was testing having a separate DNS for irods in combination with using the host access control list and found something interesting. It means that I can make it work the way it is, but I am wondering if this is correct or not.
Situation:
I have irodsserver zoneA, running on
hostname.localdns.com, ip 10.0.0.1, irods 4.3.1
I have a second server running on 10.0.0.2
I made a separate DNS entry, for
hostname.publicdns.com that will point to
hostname.localdns.com. This loadbalancer does not give the original ip to irods.
In zoneA I have a user Alice.
In the server_config.json I added the following:
"host_access_control": {
"access_entries": [
{ "user": "irods", "group": "irods", "address": "0.0.0.0", "mask": "255.255.255.255" },
{ "user": "Alice", "group": "none", "address": "10.0.0.2", "mask": "0.0.0.0" }
]
},
"host_resolution": {
"host_entries": [
{
"address_type": "local",
"addresses": [
"
hostname.publicdns.com",
"
hostname.localdns.com",
"hostname"
]
}
]
While on server 10.0.0.2 I put in my irods_environment.json:
"irods_host": "
hostname.publicdns.com",
I do an iinit, and the connection fails. This is expected, because the route goes via the loadbalancer, irods will see the ip of the loadbalancer instead of 10.0.0.2, so the host access control will prevent Alice from connecting.
I now change my irods_environment.json to:
"irods_host": "
hostname.localdns.com",
I again do an iinit, which succeeds, which is also expected, since I allowed Alice to logon from this specific IP.
I follow up with an iput of a small file, which succeeds, and an iput of a large file which succeeds. But, the little detail is in the last action. It looks like the host access control runs on the initial connection, and not on the transfer connection itself, sine this is the result of my iput:
Al...@10.0.0.2:~$ iput -fKPV file50M.txt
0/1 - 0.00% of files done 0.000/50.000 MB - 0.00% of file sizes done
Processing file50M.txt - 50.000 MB 2024-06-27.14:58:36
From server: NumThreads=4, addr:
hostname.publicdns.com, port:20127, cookie=1889497040
file50M.txt - 37.500/50.000 MB - 75.00% done 2024-06-27.14:58:37
file50M.txt - 50.000/50.000 MB - 100.00% done 2024-06-27.14:58:37
file50M.txt 50.000 MB | 0.737 sec | 4 thr | 67.836 MB/s
As you can see the filetransfer itself actually goes over
hostname.publicdns.com, which would not be allowed by the host access control. I can see the logic, the host access control probably kicks in in the initial stage, when still connected to
hostname.localdns.com, and does not do the check when the filetransfer itself actually starts.
For me this actually means there is no problem where I expected one, because it means I can still use the host access control in combination with the loadbalancer, and the loadbalancer handing out a different ip to irods poses no issues.
However, if I implement it like this in production, will that be future proof, or do I need to set things up differently? For further clarification of the usecase, I plan to make admin users logon only from within our VPN, while all other users can logon from any place they would like.
regards,
Joris