Red Hat Bugzilla – Bug 1312443
restrict access to endpoints to localhost only
Last modified: 2017-06-16 16:27:29 EDT
Description of problem: all endpoints are accessible to any host
Version-Release number of selected component (if applicable):
How reproducible: 100%
Steps to Reproduce:
1. request any endpoint from a non-local server
Actual results: HTTP API responds
Expected results: No responses except for /setup/*/ endpoints
This will need a bit more clarification. Even if requests to the installer are narrowed down to only localhost, it means that *any* user in the machine will be able to interact with the installer API.
That would defeat a lot of the purpose of restricting the access to localhost only. It would be similar to allowing ceph-deploy to be used by any user on the system: it can be completely destructive to do so.
If the path to further restrict this translates to requiring a secret/token/pass of any kind for the API to be able to function then we will need to punt this to a later version.
Is this a requirement from product or security? Do we need to consider this?
Verified this on build:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.