Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Add whitelist mechanism and block dali connections that aren't present or have a mismatched role

Description

Add a whitelist meachanism so that only hosts that connect to Dali with matching roles are allowed to proceed.
When a client is refused, return an error and print it client side.

The whitelist will automatically be populated with the server components with their roles.

Example pseudo whitelist:

{ HostA, ThorMaster }
{ HostB, EclAgent }
{ HostC, Dali }
{ HostD, Roxie1 }

In addition to the auto population of the white list from existing component instances in the environment, a supplementary white list definition in the environment, will allow additional nodes and roles to be added, e.g. so that a daliadmin from an administrators node can be added.

This will look like, e.g:

<Environment> ... .. <WhiteList> <Entry hosts="adminnode1,adminnode2" roles="DaliDiag,DaliAdmin"/> <Entry hosts="adminnode3" roles="DaliAdmin"/> </WhiteList> ... .. </Environment>

hosts and roles can be single values, or a comma separated list of values.
This example specifies that DaliDiag and DaliAdmin roles are allowed to connect from adminnode1 and adminnode2.
And that DaliAdmin is allowed to connect from adminnode3.

Possible role values are:

ThorMaster EclCCServer EclCC EclServer EclScheduler EclAgent AgentExec DaliServer SashaServer DfuServer EspServer Config SchedulerAdmin RoxieMaster BackupGen DaFsControl SwapNode DaliAdmin UpdateEnv TreeView DaliDiag Testing XRef

The whitelist checks can be disabled completely by adding enabled="false" as an attribute to WhiteList, e.g.:

<WhiteList enabled="false">

The current whitelist state can be retreived with:

dalidiag <dali-ip> -whitelist

Conclusion

None

Activity

Show:

Jacob Cobbett-Smith June 18, 2019 at 4:16 PM

am moving to under DaliServerProcess, see : https://hpccsystems.atlassian.net/browse/HPCC-22355

Ken Rowland June 17, 2019 at 8:40 PM

Into which section is <Whitelist> to be placed?

/Environment/ ?? /Whitelist

Richard Chapman April 29, 2019 at 9:11 AM

Need to add support for suitable error messages when refusing to connect, preferably in 7.2

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Components

Assignee

Reporter

Priority

Compatibility

Minor

Fix versions

Labels

Pull Request URL

https://github.com/hpcc-systems/HPCC-Platform/pull/12592

Created April 28, 2019 at 8:32 PM
Updated January 8, 2020 at 1:56 PM
Resolved June 14, 2019 at 8:29 AM

Flag notifications