CFEngine Help: Limit cf-serverd access to certain IPs

[no-reply]

Forum: CFEngine Help
Subject: Limit cf-serverd access to certain IPs
Author: toddnni
Link to topic: https://cfengine.com/forum/read.php?3,23620,23620#msg-23620

Hi all,

I am trying to limit access to files according to IP-addresses. Currently I use 
complicated structure like this

bundle common network {

vars:
  any::
    "hostid[192.168.2.10]"  string => "000";
    "host[000]"    string => "192.168.2.10";
    "host[000]"   string => "example1";
    "host[000]"     string => "local.net";
    "host[000]"  slist => { "cf_null" };
    "host[000]"       string => "location1";
    "host[000]" string => "location1 location2";

    "hostid[192.168.2.11]"  string => "001";
    "host[001]"    string => "192.168.2.11";
    "host[001]"   string => "example2";
    "host[001]"     string => "local.net";
    "host[001]"  slist => { "kerberos", "kerberos.local.net" };
    "host[001]"       string => "location2";
    "host[001]" string => "location2";

    "hostips"
      comment => "The list of known IPs.",
      slist => getindices("network.hostid");
    "hostids"
      comment => "Used to iterate over the host array.",
      slist => getindices("network.host");
}

bundle server access_rules {

vars:
  any::
    "hostids" slist => { "@(network.hostids)" };

access:
  any::
    "$(cf.masterfiles)"
      comment => "Allow only known IP-addresses to download policies.",
      admit => { "@(network.hostips)" },
      ifencrypted => "true";
    
"/var/secretfiles/ssh.$(network.host[$(hostids)]).$(network.host[$(hostids)]).dsa"
      comment => "Only host himself can download his private SSH keys.",
      admit => { "$(network.host[$(hostids)])" ),
      ifencrypted => "true";
}


The structure may seem overly complicated to you, but every field in the host 
array is currently needed. One reason for this structure is that same list can 
be used to create hosts files or DNS database.

My configuration works, but I'm worried about performance when the number of 
hosts grow
+ performance of cf-agent because of the large array and
+ performance of cf-serverd because of complicated access rules.
This kind of structure might also be painful to upkeep.

What do you think?
1. Should I worry about performance at all?
2. Do you know a better way to handle an IP address list (maybe a hosts file 
and parsestringarray())?
3. How do you limit access to policy files?

Thanks for you time.

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine