Bug 1655433

Summary: Need to restrict few services port from outside access to web-admin
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: gowtham <gshanmug>
Component: web-admin-tendrl-ansibleAssignee: Nishanth Thomas <nthomas>
Status: CLOSED ERRATA QA Contact: Elena Bondarenko <ebondare>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rhgs-3.4CC: ebondare, gshanmug, mbukatov, rhs-bugs, sankarshan
Target Milestone: ---Keywords: ZStream
Target Release: RHGS 3.4.z Batch Update 3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tendrl-ansible-1.6.3-11.el7rhgs Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-04 07:43:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1658718    

Description gowtham 2018-12-03 07:24:14 UTC 
Description of problem:
We need to restrict some services or daemons ports form the outside access to tendrl-server. Few services in web-admin-server are internal use only so for some security concern we don't want to open that for outside access.

For example:
   grafana 3000
   graphite-web 10080

Version-Release number of selected component (if applicable):
tendrl-ansible-1.6.3-10.el7rhgs

How reproducible:
After enabling SSL for web-admin also we can access some services using http protocol from outside.

Those services are not necessary to access for outside users, this can be restricted for outside use.

Steps to Reproduce:
1.
2.
3.

Actual results:
After enabling SSL all web-admin related services are accessible with http protocol. 

Expected results:
Few services should not accessible for outside user for some security concern, after enabling SSL all request for the web-admin server should be encrypted. no need to open ports for the services which are only for internal use. 

Additional info:
Comment 2 gowtham 2018-12-05 06:48:13 UTC 
Looks like we already closed port 3000 for outside access, we need to restrict 10080 also
Comment 3 gowtham 2018-12-07 10:29:05 UTC 
PR is under review: https://github.com/Tendrl/tendrl-ansible/pull/136
Comment 4 Martin Bukatovic 2018-12-10 19:19:23 UTC 
Do you mean that this BZ is about not opening port tcp 10080 on WA server no matter if ssl is enabled or not?
Comment 5 gowtham 2018-12-11 11:57:59 UTC 
Yes, that is correct
Comment 6 Martin Bukatovic 2018-12-12 18:20:30 UTC 
Providing QA ack, assuming that the purpose of this BZ is described in comment 4, as validated by comment 5.
Comment 9 Nishanth Thomas 2018-12-18 12:39:10 UTC 
@Martin, We need
Comment 11 Elena Bondarenko 2019-01-22 17:10:10 UTC 
Port 10080 has been closed for outside access.
Comment 13 errata-xmlrpc 2019-02-04 07:43:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0265