From d81d2e7736cde319e5cb9ff8db334df1af264d84 Mon Sep 17 00:00:00 2001 From: Yuriy Zveryanskyy Date: Mon, 22 May 2017 16:14:53 +0300 Subject: [PATCH] Add 'Other considerations' to security doc This adds an 'Other considerations' section to the Security documentation to include things that may not merit their own section. Change-Id: Ic4a854a9fb8e12e0d6cdf969ef804e25f6341a32 Related-bug: #1659455 Related-bug: #1692511 Co-Authored-By: Ruby Loo --- doc/source/admin/security.rst | 64 +++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/doc/source/admin/security.rst b/doc/source/admin/security.rst index 4a1d131bc4..52f8c1bddf 100644 --- a/doc/source/admin/security.rst +++ b/doc/source/admin/security.rst @@ -120,3 +120,67 @@ Additional references: - :ref:`cleaning` - :ref:`trusted-boot` + + +Other considerations +==================== + +Internal networks +----------------- + +Access to networks which the Bare Metal service uses internally should be +prohibited from outside. These networks are the ones used for management (with +the nodes' BMC controllers), provisioning, cleaning (if used) and rescuing +(if used). + +This can be done with physical or logical network isolation, traffic filtering, etc. + +Management interface technologies +--------------------------------- + +Some nodes support more than one management interface technology (vendor and +IPMI for example). If you use only one modern technology for out-of-band node +access, it is recommended that you disable IPMI since the IPMI protocol is not +secure. If IPMI is enabled, in most cases a local OS administrator is able to +work in-band with IPMI settings without specifying any credentials, as this +is a DCMI specification requirement. + +Tenant network isolation +------------------------ + +If you use tenant network isolation, services (TFTP or HTTP) that handle the +nodes' boot files should serve requests only from the internal networks that +are used for the nodes being deployed and cleaned. + +TFTP protocol does not support per-user access control at all. + +For HTTP, there is no generic and safe way to transfer credentials to the +node. + +Also, tenant network isolation is not intended to work with network-booting +a node by default, once the node has been provisioned. + +API endpoints for RAM disk use +------------------------------ + +There are `two (unauthorized) endpoints +`_ in the +Bare Metal API that are intended for use by the ironic-python-agent RAM disk. +They are not intended for public use. + +These endpoints can potentially cause security issues. Access to +these endpoints from external or untrusted networks should be prohibited. +An easy way to do this is to: + +* set up two groups of API services: one for external requests, the second for + deploy RAM disks' requests. +* to disable unauthorized access to these endpoints in the (first) API services + group that serves external requests, the following lines should be + added to the `policy.yaml file + `_:: + + # Send heartbeats from IPA ramdisk + "baremetal:node:ipa_heartbeat": "rule:is_admin" + + # Access IPA ramdisk functions + "baremetal:driver:ipa_lookup": "rule:is_admin"