Commit 9a4eb5dc authored by Mike Hibler's avatar Mike Hibler

Implement slightly different policy for root keypair distribution.

If the site default is "distribute both keys to all nodes" (1), but the user
specifies at least one explicit key distribution in an experiment, then
default all the unspecified distributions for that experiment to "do not
distribute." This avoids unexpected trust relationships with the unspecified
nodes.
parent 2196e433
......@@ -6719,13 +6719,46 @@ sub GetPrivkey($)
# per-experiment root private/public keys based on what the user wants
# and modified by Emulab policy (as encoded in Node::InitKeyDist).
#
# Here we enforce one bit of experiment-specific policy:
#
# If the user has set *any* key distribution manually within an experiment,
# we default all other unspecified nodes/keys to 0. The assumption here is
# that if the user specifies anything at all, they probably have a specific
# setup in mind and we don't want the resulting behavior to be different
# depending on the system default.
#
sub InitKeyDist($)
{
my ($self) = @_;
my $idx = $self->idx();
#
# Determine a default for all unspecified node key distributions:
# - if the system default is "disabled", no key distribution is done
# - if the user has specified any explicit values, the default is off
# - otherwise use the on/off system default.
#
my $sysdef = -1;
if (TBGetSiteVar("general/root_keypair", \$sysdef) && $sysdef != -1) {
my $result =
DBQueryWarn("select v.rootkey_private,v.rootkey_public ".
" from virt_nodes as v, reserved as r ".
" where v.exptidx=r.exptidx and v.vname=r.vname ".
" and v.exptidx=$idx");
if ($result && $result->numrows > 0) {
while (my ($priv,$pub) = $result->fetchrow_array()) {
if ($priv != -1 || $pub != -1) {
$sysdef = 0;
last;
}
}
}
}
my @nodelist = $self->NodeList(0, 1);
foreach my $node (@nodelist) {
$node->InitKeyDist($self);
$node->InitKeyDist($self, $sysdef);
}
return 0;
......
......@@ -1352,21 +1352,23 @@ sub OnSharedNode($) {
# the result into the reserved table. The Get/Set accessor functions below
# use the values from reserved.
#
# If the user-provided value is -1, then we use the system default value
# from the sitevar general/root_keypair (0 == don't distribute either key
# to any nodes, 1 == distribute both keys to all nodes). If the sitevar
# is set to -1 then the mechanism is disabled and we do not distribute
# any keys to anyone.
#
# The current restrictions are that we do *not* distribute a root pubkey
# to tainted nodes (as it opens a path to root on a node where no one should
# be root) or any keys to firewall nodes, virtnode hosts, delay nodes,
# If the user-provided value is -1 for any nodes/keys, then we use the given
# default value if provided or sitevar general/root_keypair (0 == don't
# distribute either key to any nodes, 1 == distribute both keys to all nodes)
# otherwise. However, if the default value is -1 then the mechanism is
# disabled entirely and we do not distribute any keys to anyone regardless
# of what the user says.
#
# The current "policy" restrictions are that we do *not* distribute a root
# pubkey to tainted nodes (as it opens a path to root on a node where no one
# should be root) or any keys to firewall nodes, virtnode hosts, delay nodes,
# subbosses, storagehosts, etc. which are not really part of the user
# topology.
# topology. We also do not distribute to non "PC" nodes as they might not
# support ssh anyway.
#
sub InitKeyDist($;$)
sub InitKeyDist($;$$)
{
my ($self,$experiment) = @_;
my ($self,$experiment,$def) = @_;
my ($priv,$pub);
return -1
......@@ -1378,9 +1380,15 @@ sub InitKeyDist($;$)
if (!$experiment);
}
# If no default is specified, use the system default
if (!defined($def)) {
if (!TBGetSiteVar("general/root_keypair", \$def)) {
$def = -1;
}
}
# If the system default is "disabled", no key distribution
my $sysdef;
if (!TBGetSiteVar("general/root_keypair", \$sysdef) || $sysdef == -1) {
if ($def == -1) {
$priv = $pub = 0;
goto done;
}
......@@ -1405,8 +1413,8 @@ sub InitKeyDist($;$)
my $fwnode;
# start with default if user didn't specify
$priv = $sysdef if ($priv == -1);
$pub = $sysdef if ($pub == -1);
$priv = $def if ($priv == -1);
$pub = $def if ($pub == -1);
# tainted node: no pub key
if ($self->IsTainted()) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment