Project

General

Profile

User story #6363

Updated by Alexis Mousset about 6 years ago

h2. Node policies 

 h3. CFEngine node policies 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.1|%{color:orange}TLS 1.0+%, %{color:red}"classic" %{color:orange}"classic" protocol available for 3.1 agents with initial policies%|node UUID|%{color:red}allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory)%|%{color:green}TOFU on server key%| 
 |4.3, 5.0|%{color:orange}TLS 1.0+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU on server key%| 
 |5.1|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU on server key%| 


 Notes: 

 * TODO check how ppkeys/lastseen really works 
 * UUIDs are visible in clear text reports 
 * "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level) 

 h3. Remote run 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.1|%{color:orange}TLS 1.0+%, %{color:red}"classic" %{color:orange}"classic" protocol available for 3.1 agents with initial policies%|None|%{color:red}allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)%|%{color:green}TOFU on server key%| 
 |4.3, 5.0|%{color:orange}TLS 1.0+%|None|%{color:green}allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:green}TOFU on server key%| 

 Notes: 

 * "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level) 

 h3. Windows DSC node policies 

 |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.3, 5.0|%{color:orange}TLS 1.0+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange}IP%| 
 |5.1|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange}IP%| 

 h2. Inventories 

 |*Rudder agent*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |Linux|%{color:orange}HTTPS with TLS 1.0+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%| 
 |Windows DSC|%{color:orange}HTTPS with TLS 1.0+%|node UUID|%{color:red}allowed networks%|%{color:orange}IP%| 
 |AIX|%{color:red}HTTP%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%| 

 h2. Reports 

 |Rudder version||*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| 
 |4.1, 4.3, 5.0|%{color:red}Plain text TCP/UDP%|node UUID|%{color:red}None%|%{color:orange}IP%| 

 h2. Sending a file to another node (shared file) 

 TODO

Back