{"id":1925,"date":"2011-03-05T23:30:28","date_gmt":"2011-03-05T22:30:28","guid":{"rendered":"http:\/\/www.devco.net\/?p=1925"},"modified":"2011-03-06T00:14:48","modified_gmt":"2011-03-05T23:14:48","slug":"using_mcollective_113_subcollectives_for_security","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2011\/03\/05\/using_mcollective_113_subcollectives_for_security.php","title":{"rendered":"Using MCollective 1.1.3 Subcollectives for Security"},"content":{"rendered":"<p>We&#8217;ll be releasing The Marionette Collective version 1.1.3 on Monday which will bring with it a major new feature called <a href=\"http:\/\/docs.puppetlabs.com\/mcollective\/reference\/basic\/subcollectives.html\">Subcollectives<\/a>.  This feature lets you partition your collective into multiple isolated broadcast zones much like a VLAN does to a traditional network.  Each node can belong to one or many collectives at the same time.<\/p>\n<p>An interesting side effect of this feature is that you can create subcollectives to improve security of your network.  I&#8217;ll go through a process here for providing untrusted 3rd parties access to just a subset of your servers.<\/p>\n<p><center><img decoding=\"async\" src=\"http:\/\/www.devco.net\/images\/subcollective.png\"><\/center><\/p>\n<p><\/p>\n<p>The image above demonstrates a real world case where a customer wanted to control their machines using the abilities exposed by MCollective on a network hosting servers for many customers.  <\/p>\n<p>The customer has a CMS that creates accounts on his backend systems, sometimes he detects abuse from a certain IP and need to be able to block that IP from all his customer facing systems immediately.  We did not want to give the CMS access to SSH as root to the servers to we provided a MCollective Agent that expose this ability using SimpleRPC.<\/p>\n<p>Rather than deploy a new collective using different daemons we use the new Subcollectives features to let the customer machines belong to a new collective called <em>custcollective<\/em> while still belonging to the existing <em>collective<\/em>.  We then restrict the user at the middleware layer and set his machines up to allow him access to them via the newly created collective.<\/p>\n<p>To properly secure this setup we give the customer their own <a href=\"http:\/\/docs.puppetlabs.com\/mcollective\/reference\/integration\/activemq_security.html\">username on the ActiveMQ server and secure it<\/a> so it can only communicate with his subcollective:<\/p>\n<p><code><\/p>\n<pre lang=\"xml\">\r\n<simpleAuthenticationPlugin>\r\n  <users>\r\n    <authenticationUser username=\"customer\" password=\"secret\" groups=\"customer,everyone\"\/>\r\n  <\/users>\r\n<\/simpleAuthenticationPlugin>\r\n\r\n<authorizationPlugin>\r\n  <map>\r\n    <authorizationMap>\r\n        <authorizationEntries>\r\n          <authorizationEntry topic=\"custcollective.>\" write=\"mcollectiveusers,customer\" read=\"mcollectiveusers,customer\" admin=\"mcollectiveusers,genzee\" \/>\r\n        <\/authorizationEntries>\r\n    <\/authorizationMap>\r\n  <\/map>\r\n<\/authorizationPlugin><\/pre>\n<p><\/code><\/p>\n<p>This sets up the namespace for the <em>custcollective<\/em> and give the user access to it, we only give him access to his collective and no others.<\/p>\n<p>Next we have to configure the customers servers to belong to the new collective in addition to the existing collective using their <em>server.cfg<\/em>:<\/p>\n<p><code><\/p>\n<pre lang=\"ini\">\r\ncollectives = collective,custcollective\r\nmain_collective = collective\r\n<\/pre>\n<p><\/code><\/p>\n<p>And finally we give the customer a <em>client.cfg<\/em> that limits him to this collective:<\/p>\n<p><code><\/p>\n<pre lang=\"ini\">\r\ncollectives = custcollective\r\nmain_collective = custcollective\r\n\r\nplugin.stomp.pool.user1 = customer\r\nplugin.stomp.pool.password1 = secret\r\n<\/pre>\n<p><\/code><\/p>\n<p>Due to the restrictions on the middleware level even if the customer were to specify other collective names in his <em>client.cfg<\/em> he simply would not be able to communicate with those hosts.<\/p>\n<p>We now setup <a href=\"http:\/\/docs.puppetlabs.com\/mcollective\/simplerpc\/authorization.html\">Authorization<\/a> to give the user access to just the agents and actions you authorize him to communicate with.   A sample policy file using the <a href=\"http:\/\/projects.puppetlabs.com\/projects\/mcollective-plugins\/wiki\/AuthorizationActionPolicy\">Action Policy Authorization Plugin<\/a> can be seen below, it lets the user use the <em>iptables<\/em> agent <em>block<\/em> action on just his machines while allowing me to use all actions on all machines:<\/p>\n<p><code><\/p>\n<pre lang=\"ini\">\r\npolicy default deny\r\nallow   cert=rip        *       *               *\r\nallow   cert=customer   block   customer=acme   *\r\n<\/pre>\n<p><\/code><\/p>\n<p>And finally thanks to the <a href=\"http:\/\/docs.puppetlabs.com\/mcollective\/simplerpc\/auditing.html\">Auditing<\/a> built into MCollective the clients actions are fully logged:<\/p>\n<p><code><\/p>\n<pre lang=\"text\">\r\n2011-03-05T21:03:52.598552+0000: reqid=ebf3c01fdaa92ce9f4137ad8ff73336b: \r\nreqtime=1299359032 caller=cert=customer@some.machine agent=iptables \r\naction=block data={:ipaddr=>\"196.xx.xx.146\"}\r\n<\/pre>\n<p><\/code><\/p>\n<p>The customer is happy as he was able to build a real time IDS that reacts to events throughout his network, he can interact with it from CLI, automated IDS and even his web systems.<\/p>\n<p>Using this technique and combining it with the existing AAA in MCollective we as an ISP were able to expose a subset of machines to an untrusted 3rd party in a way that is safe, secure and audited without having to give the 3rd party elevated or even shell access to these machines.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ll be releasing The Marionette Collective version 1.1.3 on Monday which will bring with it a major new feature called Subcollectives. This feature lets you partition your collective into multiple isolated broadcast zones much like a VLAN does to a traditional network. Each node can belong to one or many collectives at the same time. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[1],"tags":[78],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1925"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=1925"}],"version-history":[{"count":29,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1925\/revisions"}],"predecessor-version":[{"id":1954,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/1925\/revisions\/1954"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=1925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=1925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=1925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}