Whirr
  1. Whirr
  2. WHIRR-71

Only allow access to clusters from defined networks

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.1.0
    • Component/s: None
    • Labels:
      None

      Description

      By default a cluster should only be accessible from the machine that launched it, unless the client CIDR is specified to describe the machines that may access it.

      1. WHIRR-71.patch
        21 kB
        Tom White
      2. WHIRR-71.patch
        19 kB
        Tom White

        Activity

        Hide
        Tom White added a comment -

        Here's a patch which restricts access to the originating IP. The integration tests pass for all services.

        Show
        Tom White added a comment - Here's a patch which restricts access to the originating IP. The integration tests pass for all services.
        Hide
        Tom White added a comment -

        This applies properly. Run the following command first, however.

        svn mv core/src/main/java/org/apache/whirr/service/ComputeServiceBuilder.java core/src/main/java/org/apache/whirr/service/ComputeServiceContextBuilder.java

        Show
        Tom White added a comment - This applies properly. Run the following command first, however. svn mv core/src/main/java/org/apache/whirr/service/ComputeServiceBuilder.java core/src/main/java/org/apache/whirr/service/ComputeServiceContextBuilder.java
        Hide
        Adrian Cole added a comment -

        The firewall rules related to a service may need to be bumped up the stack a bit. It just so happens that EC2 enforces rules, but this is actually a service attribute that could be implemented many ways. I suggest coupling the rules with the cluster, service or spec object.

        Then, in provisioning/config, one could apply them where it is needed (ex whitelist environments like ec2) or where they are desired (ex. the user wants a whitelist style env, but it isn't naturally supported, and therefore needs to be configured as software like iptables).

        Patch is a good wip. Please submit an issue to jclouds for adding a cidr based rule to the ec2 template. There's still time to make this in beta-7

        Show
        Adrian Cole added a comment - The firewall rules related to a service may need to be bumped up the stack a bit. It just so happens that EC2 enforces rules, but this is actually a service attribute that could be implemented many ways. I suggest coupling the rules with the cluster, service or spec object. Then, in provisioning/config, one could apply them where it is needed (ex whitelist environments like ec2) or where they are desired (ex. the user wants a whitelist style env, but it isn't naturally supported, and therefore needs to be configured as software like iptables). Patch is a good wip. Please submit an issue to jclouds for adding a cidr based rule to the ec2 template. There's still time to make this in beta-7
        Hide
        Tom White added a comment -

        +1 to supporting this in jclouds. I've created http://code.google.com/p/jclouds/issues/detail?id=336 for this.

        I'll commit this with a comment saying that the firewall code is a temporary workaround.

        Show
        Tom White added a comment - +1 to supporting this in jclouds. I've created http://code.google.com/p/jclouds/issues/detail?id=336 for this. I'll commit this with a comment saying that the firewall code is a temporary workaround.
        Hide
        Tom White added a comment -

        I've just committed this.

        Show
        Tom White added a comment - I've just committed this.

          People

          • Assignee:
            Tom White
            Reporter:
            Tom White
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development