Bug 965886
Summary: | Servers can continue to invoke operations for agents that have since been registered to a different server | ||||||
---|---|---|---|---|---|---|---|
Product: | [JBoss] JBoss Operations Network | Reporter: | Larry O'Leary <loleary> | ||||
Component: | Agent, Inventory, Operations | Assignee: | John Mazzitelli <mazz> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | JON 3.1.2 | CC: | ahovsepy, aneelica, asantos, djorm, hrupp, mazz, myarboro, theute | ||||
Target Milestone: | ER04 | ||||||
Target Release: | JON 3.2.0 | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-01-02 20:34:48 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1012435 | ||||||
Attachments: |
|
Description
Larry O'Leary
2013-05-21 22:15:23 UTC
You can secure the server-agent communications with SSL/certificates. The agent will reject any server whose certificate is not in the agent's truststore. Thus, if you have multiple JON environments and are afraid that agents will end up getting registered in both (a rare edge-case I would presume) then securing the comm with certificates is the answer. That is how JON can be told to restrict which servers can talk to which agents. Understood, but we need a way to handle this situation to prevent random failures due to the agent not returning expected data/inventory when invoking operations. In the reproducer we can see that the platform utilization data fails to be displayed due to empty responses. What if the response wasn't empty but contained data for a different resource altogether? It still seems that the server should validate the agent's identity prior to executing any commands so that it can respond appropriately. So there are two things the customer can do for such a rare edge case - one to be done proactively and one reactively: 1) As mentioned earlier, if the user wants to proactively prohibit this from happening, they can configure the servers and agents with certificates 2) If the user doesn't do #1, they can reactively (i.e. after the problem happens) uninventory/delete the agent in one of the JON environments where you don't want it. I guess the thing to say is that it simply is not supported that agents are actively registered on two separate JON environments - you are required to uninventory/delete one of them. If you do do this, errors and problems are expected to happen - resource IDs alone will not be correct, as well as the agent tokens, probably more things. > It still seems that the server should validate the agent's identity prior to
> executing any commands so that it can respond appropriately.
As for this specifically, "the server should validate the agent's identity prior to executing any commands" - technically, that's what the SSL certificates do, so it can be said we do support this feature already (albeit optionally).
But I think we are missing the real issues here: * This isn't really so much as an edge case. Although this configuration would never be deliberate, it can actually happen fairly easily. If for example I am testing an agent in dev using the dev server and then move it over to the production server. In that case, the dev server will still know about the agent and there is a chance that its end-point is the same. The user isn't thinking, "Oh, I guess I need to find all the old servers this agent may have, at one time or another, been registered to and remove them from inventory." * The fact that the UI fails to do anything and returns a meaningless "globally uncaught exception" when this situation occurs. This is unacceptable regardless of how the problem occurs. The system should continue to function as normal and one agent configuration issue shouldn't render my JBoss ON system useless. Mazz, can you provide any input on comment 10 ? git commit to master: c160be0 Moving to ON_QA for testing in the next build. Created attachment 817475 [details]
platform_util
verified with jon 3.2 er4 |