salt-api: limit access by IP
108 views
Skip to first unread message
Craig Sebenik
Jul 19, 2013, 12:28:49 AM7/19/13
to salt-...@googlegroups.com
Hey!
I am pretty new to the salt-api. I have it running, but we have a request from our security group to limit certain types of requests by client IP.
I'd like to restrict modules by the IP of the sender. (I realize that one can still spoof it… one problem at a time. :> )
I am kind of fumbling around and I am sure I can "get it to work". But, I was hoping someone could point me to an optimal solution rather than "just any" solution.
Not sure what else one would need to know. Just ask away!
TIA!!
Craig
I am pretty new to the salt-api. I have it running, but we have a request from our security group to limit certain types of requests by client IP.
I'd like to restrict modules by the IP of the sender. (I realize that one can still spoof it… one problem at a time. :> )
I am kind of fumbling around and I am sure I can "get it to work". But, I was hoping someone could point me to an optimal solution rather than "just any" solution.
Not sure what else one would need to know. Just ask away!
TIA!!
Craig
Seth House
Jul 19, 2013, 1:55:10 AM7/19/13
to salt-...@googlegroups.com
You can limit access to modules via the user account used to
authenticate with salt-api and you can limit access to the API itself
by IP via firewall rules, but there is not currently a way to limit
access to certain modules by IP.
authenticate with salt-api and you can limit access to the API itself
by IP via firewall rules, but there is not currently a way to limit
access to certain modules by IP.
Jakub Mikusek
Jul 19, 2013, 4:10:03 AM7/19/13
to salt-...@googlegroups.com
Hi Craig,
On 19 July 2013 05:28, Craig Sebenik <cseb...@linkedin.com> wrote:
> Hey!
>
> I am pretty new to the salt-api. I have it running, but we have a request from our security group to limit certain types of requests by client IP.
Depending how you deployed salt-api I guess, but assuming you're using
apache then http://httpd.apache.org/docs/current/howto/access.html and
http://httpd.apache.org/docs/current/mod/mod_authz_core.html
I wouldn't expect saltapi to have such a functionality - no point doubling that.
Hope that helped!
Regards,
Jakub
--
"Imagination is more important than knowledge" -> Albert Einstein
tel: +353 83 44 50 623
jabber: ja...@mikusek.org
gg: 3386899 skype: mmmick3y
On 19 July 2013 05:28, Craig Sebenik <cseb...@linkedin.com> wrote:
> Hey!
>
> I am pretty new to the salt-api. I have it running, but we have a request from our security group to limit certain types of requests by client IP.
apache then http://httpd.apache.org/docs/current/howto/access.html and
http://httpd.apache.org/docs/current/mod/mod_authz_core.html
I wouldn't expect saltapi to have such a functionality - no point doubling that.
Hope that helped!
Regards,
Jakub
--
"Imagination is more important than knowledge" -> Albert Einstein
tel: +353 83 44 50 623
jabber: ja...@mikusek.org
gg: 3386899 skype: mmmick3y
Craig Sebenik
Jul 19, 2013, 3:40:10 PM7/19/13
to salt-...@googlegroups.com
Thanks guys.
I left out some details;
We are running with user auth. But, only user auth is not sufficient. We need to have IP restrictions as well.
Doing that with a firewall (eg. iptables) means working with another group. While *technically* feasible, it presents a number of non-technical hurdles I'd rather avoid. (The pain of working in a large company.)
I am running cherrpy "directly". (I.e. not using Apache). I guess I could move it over to using Apache. But, that's another thing that needs to be maintained. I like Apache... I just want to minimize the number of moving parts.
We are moving from using the peer publishing system to the netapi. The peer publishing has a config that limits what clients can do what. The "external_auth" config limits which minions the jobs published can act on. (Yes, I understand that the netapi and peer publishing systems are totally different.) So, while it seems odd for salt to manage what hosts have access, in our case, it makes sense because we are migrating from the peer publishing system.
So, I should have asked; how do you limit by IP in cherrypy, not salt itself.
Thanks!
Craig
________________________________________
From: salt-...@googlegroups.com [salt-...@googlegroups.com] on behalf of Jakub Mikusek [ja...@mikusek.org]
Sent: Friday, July 19, 2013 1:10 AM
To: salt-...@googlegroups.com
Subject: Re: [salt-users] salt-api: limit access by IP
Hi Craig,
Hope that helped!
Regards,
Jakub
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Corey Quinn
Jul 19, 2013, 3:50:57 PM7/19/13
to salt-...@googlegroups.com, salt-...@googlegroups.com
For what it's worth, I have an open issue somewhere on adding ip based restrictions. I think this should probably be added to salt at least; not sure how this impacts salt-API.
--Corey
--Corey
Seth House
Jul 19, 2013, 5:59:26 PM7/19/13
to salt-...@googlegroups.com
On Fri, Jul 19, 2013 at 1:40 PM, Craig Sebenik <cseb...@linkedin.com> wrote:
> So, while it seems odd for salt to manage what hosts have access, in our case, it makes sense because we are migrating from the peer publishing system.
An overlooked aspect of the external_auth config is that you can put
> So, while it seems odd for salt to manage what hosts have access, in our case, it makes sense because we are migrating from the peer publishing system.
host-specific authorization there, represented as an additional level,
similar to the peer system config. E.g.:
external_auth:
pam:
someuser:
- somehostname:
- test.*
As opposed to the more commonly seen config that authorizes all hosts:
external_auth:
pam:
someuser:
- test.*
Would it be possible to create a user that only has access to the
hosts you want to access?
Shifting gears, out of curiosity why are you migrating off the Peer system?
> So, I should have asked; how do you limit by IP in cherrypy, not salt itself.
CherryPy tool to the rest_cherrypy app to do IP-based authorization
but it is something that would need to be written. In other words,
it's not an existing plugin or flag on the CherryPy server that could
be toggled. Something similar to the existing salt_auth_tool(). If
someone is interested in writing it, I could help with advice or
fielding questions.
Craig Sebenik
Jul 20, 2013, 1:43:41 AM7/20/13
to <salt-users@googlegroups.com>
Thanks for the response!
> external_auth:
> pam:
> someuser:
> - somehostname:
> - test.*
My understanding is that the host given above would be where you can *run* the commands, not what hosts can talk to the rest endpoint
Did I read it wrong?
> Would it be possible to create a user that only has access to the
> hosts you want to access?
Not really. It is technically possible, but that wasn't what our security group asked for. Having 1 specific user only on a subset of hosts doesn't really scale well, IMO.
> Shifting gears, out of curiosity why are you migrating off the Peer system?
Another group in the company is developing a deployment system based on salt. However, they have to run the system as a non-root user. (Long story.) We tried changing the perms, but sometime in 0.14.x, salt "self healed" and altered permissions that looked wrong. This was going to be an ongoing problem. Moving to the netapi means they can run their code as any user and we can run all of the "salt stuff" as root.
> If the above doesn't suffice, it would be straightforward to add a
> CherryPy tool to the rest_cherrypy app to do IP-based authorization
> but it is something that would need to be written. In other words,
> it's not an existing plugin or flag on the CherryPy server that could
> be toggled. Something similar to the existing salt_auth_tool(). If
> someone is interested in writing it, I could help with advice or
> fielding questions.
I am more than willing. My familiarity with cherrypy is, well, 0. But, my background is pretty strong. I am totally open to some pointers.
Thanks again. There are definitely a bunch of options. But, I am handcuffed a little by some internal "politics" and some of the realities of working in a large company.
Craig
> external_auth:
> pam:
> someuser:
> - somehostname:
> - test.*
Did I read it wrong?
> Would it be possible to create a user that only has access to the
> hosts you want to access?
> Shifting gears, out of curiosity why are you migrating off the Peer system?
> If the above doesn't suffice, it would be straightforward to add a
> CherryPy tool to the rest_cherrypy app to do IP-based authorization
> but it is something that would need to be written. In other words,
> it's not an existing plugin or flag on the CherryPy server that could
> be toggled. Something similar to the existing salt_auth_tool(). If
> someone is interested in writing it, I could help with advice or
> fielding questions.
Thanks again. There are definitely a bunch of options. But, I am handcuffed a little by some internal "politics" and some of the realities of working in a large company.
Craig
Seth House
Jul 22, 2013, 5:31:42 PM7/22/13
to salt-...@googlegroups.com
On Fri, Jul 19, 2013 at 11:43 PM, Craig Sebenik <cseb...@linkedin.com> wrote:
> Having 1 specific user only on a subset of hosts doesn't really scale well, IMO.
You're right about that. I was hoping it might be a quicker workaround
> Having 1 specific user only on a subset of hosts doesn't really scale well, IMO.
is all. :)
> I am handcuffed a little by some internal "politics" and some of the realities of working in a large company.
using salt-api, btw. That was interesting to read.
> I am more than willing. My familiarity with cherrypy is, well, 0.
1. Add a new "tool" (a function that gets run sometime during the
request/response cycle). Look at the ``salt_auth_tool()`` [1] as an
example.
2. Register it in the "toolbox" (just an arbitrary namespace) [2] as
"before_handler".
3. Activate the tool in the class that processes the REST
request/responses [3].
A few more pointers:
* You will be able to grab the IP from ``cherrypy.request.remote.ip`` [4].
* You can grab the command(s) to be run from ``cherrypy.request.lowstate``.
* The Salt master config is available in that tool as ``__opts__``.
(This may be a good place to store what IPs can run what functions --
you can add arbitrary stuff to the Salt config.)
* You can raise auth exceptions or do whatever else you need in that tool.
* If you don't want to modify the existing netapi module, you can copy
that directory to another name and activate that in your master config
instead. (E.g., rest_mymodule).
[1] https://github.com/saltstack/salt-api/blob/4793578/saltapi/netapi/rest_cherrypy/app.py#L192
[2] https://github.com/saltstack/salt-api/blob/4793578/saltapi/netapi/rest_cherrypy/app.py#L1012
[3] https://github.com/saltstack/salt-api/blob/4793578/saltapi/netapi/rest_cherrypy/app.py#L388
[4] http://docs.cherrypy.org/stable/refman/_cprequest.html
Let me know if you have any more questions. Or grab me on IRC
(whiteinge) if you'd prefer.
- Seth
Reply all
Reply to author
Forward
0 new messages