Merge pull request #85 from olehermanse/acls

olehermanse · web-flow · commit 85f9aec38783 · 2023-11-23T16:40:20.000+01:00
Added allow-all-hosts module
diff --git a/cfbs.json b/cfbs.json
@@ -3,6 +3,11 @@
   "description": "Repository of modules written by the CFEngine team.",
   "type": "modules",
   "provides": {
+    "allow-all-hosts": {
+      "description": "Allows all hosts / IP addresses to connect and fetch policy.",
+      "subdirectory": "management/allow-all-hosts",
+      "steps": ["json def.json def.json"]
+    },
     "autorun": {
       "description": "Enable autorun functionality.",
       "subdirectory": "management/autorun",
diff --git a/management/allow-all-hosts/README.md b/management/allow-all-hosts/README.md
@@ -0,0 +1,33 @@
+By default, CFEngine only accepts incoming connections from IP addresses on the same network (`/16` subnet).
+This module changes the setting to allow all IP addresses.
+
+**Warning:** This module is intended to make testing / demonstrations easier.
+It should **not** be used for production setups.
+
+## Details
+
+Internally, this changes the value of the `default:def.control_server_allowconnects` and `default:def.acl` variables.
+The 2 variables have the same default values, but control slightly different things:
+
+* `default:def.control_server_allowconnects` - Works similar to a firewall. Controls which IP addresses are allowed to connect to the `cf-serverd`.
+* `default:def.acl` - Controls access to files on the server, i.e. which IP addresses are allowed to fetch files, most notably the policy set from `/var/cfengine/masterfiles` on the hub.
+
+Advanced users might want to configure each of these variables individually, or even customize specific access for specific folders.
+
+You can achieve the same by editing `/var/cfengine/masterfiles/def.json`:
+
+```
+{
+  "variables": {
+    "default:def.control_server_allowconnects": ["0.0.0.0/0", "::/0"],
+    "default:def.acl": ["0.0.0.0/0", "::/0"]
+  }
+}
+```
+
+You can also edit these variables using the CMDB feature in Mission Portal.
+
+**Tip:** You can omit the first variable, it defaults to the value of `default:def.acl`, when not specified.
+
+**Note:** The variables and defaults mentioned here are for the default CFEngine policy set (MPF).
+If you are only using the CFEngine binaries, not the default policy, these variables don't do anything special.
diff --git a/management/allow-all-hosts/def.json b/management/allow-all-hosts/def.json
@@ -0,0 +1,6 @@
+{
+  "variables": {
+    "default:def.control_server_allowconnects": ["0.0.0.0/0", "::/0"],
+    "default:def.acl": ["0.0.0.0/0", "::/0"]
+  }
+}
