User story #6363
Updated by Alexis Mousset over 6 years ago
h2. Node policies h3. CFEngine node policies |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| |3.1|%{color:orange}CFEngine |3.1|CFEngine "classic" protocol, partly encrypted%|node UUID|%{color:red}allowed encrypted|node UUID|allowed networks AND (use an IP declared in the inventory OR know the hostname of the node)%|%{color:green}TOFU node)|TOFU on server key%| key| |4.1, 4.2|%{color:green}TLS 1.0+%, %{color:orange}"classic" 4.2|TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies%|node UUID|%{color:red}allowed policies|node UUID|allowed networks AND (use an IP declared in the inventory OR know the hostname of the node OR private key matching the public key in the inventory)%|%{color:green}TOFU inventory)|TOFU on server key%| key| |4.3|%{color:green}TLS 1.0+%|node UUID|%{color:green}allowed |4.3|TLS 1.0+|node UUID|allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:green}TOFU TOFU)|TOFU on server key%| key| Notes: * TODO check how ppkeys/lastseen really works * UUIDs are visible in clear text reports * "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level) h3. Remote run |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| |3.1|%{color:orange}CFEngine |3.1|CFEngine "classic" protocol, partly encrypted%|None|%{color:red}allowed encrypted|None|allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)%|%{color:green}TOFU server)|TOFU on server key%| key| |4.1, 4.2|%{color:green}TLS 1.0+%, %{color:orange}"classic" 4.2|TLS 1.0+, "classic" protocol available for 3.1 agents with initial policies%|None|%{color:red}allowed policies|None|allowed networks AND (IP of the declared policy server OR know the hostname of the policy server)%|%{color:green}TOFU server)|TOFU on server key%| key| |4.3|%{color:green}TLS 1.0+%|None|%{color:green}allowed |4.3|TLS 1.0+|None|allowed networks AND IP of the declared policy server (which provides TOFU on the key)%|%{color:green}TOFU key)|TOFU on server key%| key| Notes: * "rudder agent reset" destroys the link between IPs and known keys (i.e. resets the TOFU at agent level, but not inventory level) h3. Windows DSC node policies |*Rudder version*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| |4.2, 4.3|%{color:green}TLS 1.0+%|node UUID|%{color:green}allowed 4.3|TLS 1.0+|node UUID|allowed networks AND private key matching the public key in the inventory (which if verified or TOFU)%|%{color:orange}IP%| TOFU)|None| h2. Inventories |*Rudder agent*|*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| |Linux|%{color:green}HTTPS |Linux|HTTPS with TLS 1.0+%|node UUID|%{color:green}allowed 1.0+|node UUID|allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%| TOFU)|None| |Windows DSC|%{color:green}HTTPS DSC|HTTPS with TLS 1.0+%|node UUID|%{color:red}allowed networks%|%{color:orange}IP%| 1.0+|node UUID|allowed networks|None| |AIX|%{color:red}HTTP%|node UUID|%{color:green}allowed |AIX|HTTP|node UUID|allowed networks AND signature matching the public key in the first inventory (which if verified or TOFU)%|%{color:orange}IP%| TOFU)|None| h2. Reports |*Transport*|*Client Identification*|*Client Authentication*|*Server Authentication*| |%{color:red}Plain |Clear text TCP/UDP%|node UUID|%{color:red}None%|%{color:orange}IP%| TCP/UDP|node UUID|None|None| h2. Sending a file to another node (shared file) TODO