User story #6363
Updated by Alexis Mousset about 6 years ago
h2. Node policies
h3. CFEngine node policies
|*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*|
|4.1|%{color:orange}TLS 1.0+%, %{color:red}"classic" protocol available for 3.1 agents with initial policies%|node UUID|%{color:red}allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory)%|%{color:green}TOFU on server key%|
|4.3, 5.0|%{color:orange}TLS 1.0+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU on server key%|
|5.1|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU on server key%|
Notes:
* TODO check how ppkeys/lastseen really works
* UUIDs are visible in clear text reports
* "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level)
h3. Remote run
|*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*|
|4.1|%{color:orange}TLS 1.0+%, %{color:red}"classic" protocol available for 3.1 agents with initial policies%|None|%{color:red}allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)%|%{color:green}TOFU on server key%|
|4.3, 5.0|%{color:orange}TLS 1.0+%|None|%{color:green}allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:green}TOFU on server key%|
|5.1|%{color:green}TLS 1.2+%|None|%{color:green}allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:green}TOFU on server key%|
Notes:
* "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level)
h3. Windows DSC node policies
|*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*|
|4.3, 5.0|%{color:orange}TLS 1.0+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange}IP%|
|5.1|%{color:green}TLS 1.2+%|node UUID|%{color:green}allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange}IP%|
h2. Inventories
|*Rudder version*|*Rudder agent*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*|
|4.1, 4.3, 5.0|Linux|%{color:orange}HTTPS with TLS 1.0+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%|
|4.1, 4.3, 5.0|Windows DSC|%{color:orange}HTTPS with TLS 1.0+%|node UUID|%{color:red}allowed networks%|%{color:orange}IP%|
|4.1, 4.3, 5.0|AIX|%{color:red}HTTP%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%|
|5.1|All|%{color:green}HTTPS with TLS 1.2+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:green}TOFU on server key%|
h2. Reports
|*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*|
|4.1, 4.3, 5.0|%{color:red}Plain text TCP/UDP%|node UUID|%{color:red}None%|%{color:orange}IP%|
|5.1|%{color:green}HTTPS with TLS 1.2+%|node UUID|%{color:green}allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:green}TOFU on server key%|
h2. Sending a file to another node (shared file)
TODO