Project

General

Profile

Actions

User story #7376

closed

Authorize both path relative to technique and to config-repos in technique metadata.xml descriptor

Added by Nicolas CHARLES over 5 years ago. Updated over 5 years ago.

Status:
Released
Priority:
1
Category:
Web - Config management
Target version:
Suggestion strength:
User visibility:
Effort required:

Description

In the Technique descriptor (metadata.xml), allow both relative and full path for the templates used (TML attribute) to allow better isolation of promises in ncf


Subtasks 1 (0 open1 closed)

Bug #7466: Templates and Files "by path" don't trigger technique library reloadReleasedVincent MEMBRÉ2015-11-24Actions

Related issues

Related to Rudder - User story #7402: Add a <FILE> tag in metadata.xml to allow simple file copy into techniquesReleasedNicolas CHARLES2015-11-22Actions
Actions #1

Updated by Nicolas CHARLES over 5 years ago

Oh, and also autorize pure .cf file

Actions #2

Updated by Nicolas CHARLES over 5 years ago

  • Related to User story #7377: Adapt rudderify script to use <FILE> in the generated metadata.xml added
Actions #3

Updated by François ARMAND over 5 years ago

  • Status changed from New to In progress
Actions #4

Updated by Vincent MEMBRÉ over 5 years ago

  • Related to deleted (User story #7377: Adapt rudderify script to use <FILE> in the generated metadata.xml)
Actions #5

Updated by François ARMAND over 5 years ago

After some more thought, I'm pretty that we don't want to authorize any absolute path for templates.

For one, I'm almost sure it's a security all waiting to be found. Letting the possibility for one to use any file on the FS, especially one with unpriviliedge rights, as a template for root-level management of nodes seems to be a bad idea.

But even without considering the extension of the attack surface, allowing to use template anywhere on the FS completely broke the boudaries of our system, and it becomes impossible to even try to versionned (or take care of version) of Technique templates, because we can't any longer tell when some technique come into Rudder. Today, we DO can, even if we are not doing it completelly: the Technique template is versionned in our Git. And we do use it, because it's what allows to trigger a promise generation if a Technique changed and the library was reload (or more exactly, it allows to trace which Techniques changed, and so what promises must be updated).

So, the problem may be tell like that: we don't want to authorise template outside of our Git.

Notice that all of that MAY be irrelevant for the <FILE> tag (see #7402), because we can have as policy that <FILES> are outside of Rudder system, and that it's a feature to not track them - but that's not clear, see details on the ticket)

So, I propose to add that prerequisite: the absolute path given must be a subdirectory of the Git defined in the rudder configuration file for property "rudder.dir.gitRoot" (by default, /var/rudder/configuration-repository)

Actions #6

Updated by François ARMAND over 5 years ago

  • Subject changed from Authorize both relative and full path for templates in technique descriptor to Authorize both path relative to technique and to config-repos in technique metadata.xml descriptor

See for explanation about the "why" in #7402

Actions #7

Updated by François ARMAND over 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/966
Actions #8

Updated by François ARMAND over 5 years ago

  • Related to User story #7402: Add a <FILE> tag in metadata.xml to allow simple file copy into techniques added
Actions #9

Updated by François ARMAND over 5 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #11

Updated by Vincent MEMBRÉ over 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.2.0~beta1 which was released today.

Actions

Also available in: Atom PDF