User story #6363
Updated by Alexis Mousset about 7 years ago
h2. Node policies h3. CFEngine node policies |Rudder version|Transport|Client Identification|Client Authentication|Server Authentication| |3.1|CFEngine "classic" protocol, partly encrypted|node UUID|allowed networks AND (use an IP declared in the inventory OR know the hostname of the node)|TOFU on server key| |4.1, 4.2|TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies|node UUID|allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the - Use public key in the inventory)|TOFU on server key| for agent identification |4.3|TLS 1.0+|node UUID|allowed networks AND - Use private key matching the public key in the inventory (which if verified or TOFU)|TOFU on server key| Notes: * UUIDs are visible in clear text reports for agent authentication * Remote run is the same from server to node, with a check on the server's IP and - Use fine grained ACL for authorization - Use encryption for sensitive file transfer - TOFU (trust on both sides keys. Exeption : first use) on Rudder <4.3 when policy_server.dat contains a hostname, anyone in the allowed networks knowing the policy server's hostname can trigger a remote run. h3. Windows DSC node policies |Rudder version|Transport|Client Identification|Client Authentication|Server Authentication| |4.2, 4.3|TLS 1.0+|node UUID|allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)|None| h2. Inventories |Rudder agent|Transport|Client Identification|Client Authentication|Server Authentication| accept |Linux|HTTPS with TLS 1.0+|node UUID|allowed networks AND signature matching the public key in the first - Secure inventory (which if verified or TOFU)|None| transmission |Windows DSC|HTTPS with TLS 1.0+|node UUID|allowed networks|None| |AIX|HTTP|node UUID|allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)|None| h2. Reports |Transport|Client Identification|Client Authentication|Server Authentication| |Clear text TCP/UDP|node UUID|None|None| h2. Sending a file to another node (shared file) TODO