Check for remote address in allow-list update should ignore underlay #5735
Comments
bnaecker
added
api
- Fixes #5735 - When checking the IP allowlist, we ensure the peer making the request is contained by the list itself. This works in most circumstances, but isn't correct when the request is proxied through `wicketd`, such as in a recovery situation. This special handling when the peer isn't in the allow-list, by checking whether it's instead part of any rack subnet. - Add datastore method specifically for checking if an address is part of a rack subnet. - Add unique index on the rack table for looking up subnets quickly, and a schema migration with that index.
- Fixes #5735 - When checking the IP allowlist, we ensure the peer making the request is contained by the list itself. This works in most circumstances, but isn't correct when the request is proxied through `wicketd`, such as in a recovery situation. This special handling when the peer isn't in the allow-list, by checking whether it's instead part of any rack subnet. - Add datastore method specifically for checking if an address is part of a rack subnet. - Add unique index on the rack table for looking up subnets quickly, and a schema migration with that index.
|
An idle thought - the nexus techport proxy is an entirely separate dropshot server: Lines 179 to 192 in c472464 I wonder if it would be easier to stash something in the respective server contexts to indicate which was which, and this disable the check of the request IP based on which dropshot server is handling the request? |
|
That's an interesting idea, I like it. I'm looking at the server contexts now, and they're all currently shared between the three servers (internal, external, and techport), through an |
- Adds a server kind enum, used to distinguish which API server is running any particular handler. - Wraps the existing `ServerContext` into a higher-level `ApiContext` type, which includes the former in addition to the kind of server handling the request. - Fixes #5735
When attempting to update the allow-list for user-facing services, Nexus ensures that the address of the peer sending the request is contained in the allow-list itself. This is a safety mechanism to prevent locking oneself out. However, there are still ways one can get locked out. As an example, if a user sets the allow-list to enable traffic from some external proxy, but that proxy is issued a new IP address without notice, they won't be able to get back into the rack to change the list.
To address this, we could make use of the Nexus external API proxy offered by
wicketd. This works at the transport layer, and runs over the underlay network. That means it's not subject to the allow-list checks at all, since it's over a completely different interface. However, clients will never be able to actually update the allow-list from the proxy, because the containment mentioned at the beginning will fail! Users don't know (and can't know) the underlay address, so Nexus will always reject the list.We should relax this check in Nexus. The remote address must either be on the allow-list, or on the underlay network. It's not yet clear to me if that means "same rack subnet" or "any rack subnet", or if we want to do an explicit lookup in the database to make sure it's in a known-valid rack.
The text was updated successfully, but these errors were encountered: