CFEngine Help: Access to cf-serverd via external files

[no-reply]

Forum: CFEngine Help
Subject: Access to cf-serverd via external files
Author: berntjernberg
Link to topic: https://cfengine.com/forum/read.php?3,23091,23091#msg-23091

Hi all,

I want to hide the access- and trust-keys lists from everybody by reading those 
lists from the contents of directories
on the policy server. I have a directory, /cf/trustkeys, which may contain 
files named as ip addresses. Like this



# ls -1 /cf/trustkeys
10.10.10.10
10.10.10.11
......



The directory is not shared to clients.

My long term goal is for the client to report back to the policy server that 
the key exchange
is ready and then the policy server will remove the clients "ip-file" from 
/cf/trustkeys. The
reason for the files in /cf/trustkeys is easy configuration by an external 
script in our deploy
routine. The line:



trustkeysfrom         => { @(s.trustkeysfrom_acl) };



will always be there if this idea works.  

Part of my cf-serverd.cf looks like this. The syntax works but I have to 
restart cf-serverd to
change the trustkeys-list with the current code. cf-serverd, on the policy 
server, is run by
the normal user cfengine thus cf-serverd have its files in 
/home/cfengine/.cfagent and
cf-agent (run as root) in /var/cfengine.



bundle common s
{
    vars:
        policy_host::
            "addresses_to_split" string => execresult("$(g.ls) /cf/trustkeys 
2>/dev/null","useshell");

        acl_exists::
            "trustkeysfrom_acl"   slist => 
splitstring("$(s.addresses_to_split)","\n","30");

            "connect_acl" slist => {
                                   "XX.XXX..*",
                                   "XX.XXX..*",
                                   "XX.XXX..*"
                                   };

    classes:
        "acl_exists"                not => regcmp("$(addresses_to_split)","");
}

body server control 
{
    denybadclocks         => "true";
    allowconnects         => { @(s.connect_acl) };
    allowusers            => { "root","cfengine" };
    maxconnections        => "1000";
    logallconnections     => "true";
    bindtointerface       => "$(g.my_ip)";
    trustkeysfrom         => { @(s.trustkeysfrom_acl) };
}

bundle server access_rules()
{
    access:
        policy_host::
            "$(g.dir_repository)"
                handle => "grant_access_to_repository",
                comment => "Grant access to the repository",
                admit   => { @(s.connect_acl) };
}



Is this a good/bad solution? Any ideas?

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine