Uploaded image for project: 'HPCC'
  1. HPCC
  2. HPCC-22030

Add whitelist mechanism and block dali connections that aren't present or have a mismatched role

    XMLWordPrintable

    Details

      Description

      Add a whitelist meachanism so that only hosts that connect to Dali with matching roles are allowed to proceed.
      When a client is refused, return an error and print it client side.

      The whitelist will automatically be populated with the server components with their roles.

      Example pseudo whitelist:

      { HostA, ThorMaster } { HostB, EclAgent } { HostC, Dali } { HostD, Roxie1 }

      In addition to the auto population of the white list from existing component instances in the environment, a supplementary white list definition in the environment, will allow additional nodes and roles to be added, e.g. so that a daliadmin from an administrators node can be added.

      This will look like, e.g:

      <Environment>
      ...
      ..
       <WhiteList>
        <Entry hosts="adminnode1,adminnode2" roles="DaliDiag,DaliAdmin"/>
        <Entry hosts="adminnode3" roles="DaliAdmin"/>
       </WhiteList>
      ...
      ..
      </Environment>
      

      hosts and roles can be single values, or a comma separated list of values.
      This example specifies that DaliDiag and DaliAdmin roles are allowed to connect from adminnode1 and adminnode2.
      And that DaliAdmin is allowed to connect from adminnode3.

      Possible role values are:

      ThorMaster
      EclCCServer
      EclCC 
      EclServer
      EclScheduler
      EclAgent
      AgentExec
      DaliServer
      SashaServer
      DfuServer
      EspServer
      Config
      SchedulerAdmin
      RoxieMaster
      BackupGen
      DaFsControl
      SwapNode
      DaliAdmin
      UpdateEnv
      TreeView
      DaliDiag
      Testing
      XRef
      

      The whitelist checks can be disabled completely by adding enabled="false" as an attribute to WhiteList, e.g.:

       <WhiteList enabled="false">
      

      The current whitelist state can be retreived with:

      dalidiag <dali-ip> -whitelist
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jakesmith Jake Smith
                Reporter:
                jakesmith Jake Smith
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: