Bug 1387483 - remove reverse DNS validation in kobo.hub.decorators.validate_worker()
Summary: remove reverse DNS validation in kobo.hub.decorators.validate_worker()
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kobo
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Mach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-21 03:14 UTC by Yuxiang Zhu
Modified: 2017-09-30 06:19 UTC (History)
2 users (show)

Fixed In Version: kobo-0.6.0-1.el7 kobo-0.6.0-1.fc26 kobo-0.6.0-1.fc25 kobo-0.6.0-1.el6 kobo-0.6.0-1.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-26 20:52:30 UTC


Attachments (Terms of Use)

Description Yuxiang Zhu 2016-10-21 03:14:03 UTC
Description of problem:

Current version of Kobo uses socket.getfqdn() which collects the worker's source IP address and look it up in DNS. If the PTR record of that IP address in DNS doesn't match the username it claims, Hub will fail and complain "Worker's FQDN (...) doesn't match username (...)".

I don't think it is a good idea to validate the reverse DNS (PTR record).
1. Unless you are the NS administrator of that IP address or operate your own local NS servers, it is impossible to control the PTR record of an IP address. It is unreliable to use an external DNS.
2. We are able to have multiple domain names that point to the same IP address, but an IP address can only have a single PTR record. It is common to run several services on a single host but you can't match the PTR record with every domain names.
3. It is also impossible to run a worker behind NAT...
4. I believe it is safe enough to allow a worker ti connect with correct credential. 

Version-Release number of selected component (if applicable):
master branch

Comment 1 Kamil Dudka 2016-10-21 08:40:15 UTC
We used an entry in /etc/hosts to work around this.  Not sure if it covers all the cases though...

Comment 2 Yuxiang Zhu 2016-10-21 14:57:28 UTC
Any consideration to remove the validation? It will be very helpful to run Kobo based application on Docker or other cloud computing platform.

This patch may help.

From aa90390785557684e539ab85c68e8446bca5fdc9 Mon Sep 17 00:00:00 2001
From: Rayson zhu <vfreex+git@gmail.com>
Date: Fri, 21 Oct 2016 22:50:26 +0800
Subject: [PATCH] remove reverse DNS validation for Kobo worker

---
 kobo/hub/decorators.py | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/kobo/hub/decorators.py b/kobo/hub/decorators.py
index 2bc64e5..d54bb11 100644
--- a/kobo/hub/decorators.py
+++ b/kobo/hub/decorators.py
@@ -16,11 +16,6 @@ def validate_worker(func):
         if getattr(request, 'worker', None) is None:
             raise SuspiciousOperation("User doesn't match any worker: %s" % request.user.username)
 
-        fqdn = socket.getfqdn(request.META["REMOTE_ADDR"])
-        prefix, hostname = request.user.username.split("/", 1)
-        if hostname != fqdn:
-            raise SuspiciousOperation("Worker's FQDN (%s) doesn't match username (%s)" % (fqdn, hostname))
-
         return func(request, *args, **kwargs)
 
     _new_func.__name__ = func.__name__
-- 
2.7.4

Comment 3 Daniel Mach 2016-10-27 08:01:21 UTC
Fixed upstream: https://github.com/release-engineering/kobo/commit/6d83e409dcf56806b433c10012717b3551c69a4f

Moving to MODIFIED until I build a new kobo build in koji.

Comment 4 Yuxiang Zhu 2016-10-27 09:01:29 UTC
(In reply to Daniel Mach from comment #3)
> Fixed upstream:
> https://github.com/release-engineering/kobo/commit/
> 6d83e409dcf56806b433c10012717b3551c69a4f
> 
> Moving to MODIFIED until I build a new kobo build in koji.

Thank you. That'll be very helpful!

Comment 5 Fedora End Of Life 2017-02-28 10:29:10 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 6 Fedora Update System 2017-09-06 03:54:49 UTC
kobo-0.6.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-37ed4d4db6

Comment 7 Fedora Update System 2017-09-06 03:55:03 UTC
kobo-0.6.0-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0579784f53

Comment 8 Fedora Update System 2017-09-06 03:55:14 UTC
kobo-0.6.0-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b7dcfe861

Comment 9 Fedora Update System 2017-09-06 03:55:24 UTC
kobo-0.6.0-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-57639ea44b

Comment 10 Fedora Update System 2017-09-06 03:55:34 UTC
kobo-0.6.0-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bc3c16a54f

Comment 11 Fedora Update System 2017-09-06 22:24:03 UTC
kobo-0.6.0-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-bc3c16a54f

Comment 12 Fedora Update System 2017-09-06 22:30:08 UTC
kobo-0.6.0-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b7dcfe861

Comment 13 Fedora Update System 2017-09-06 22:49:06 UTC
kobo-0.6.0-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-57639ea44b

Comment 14 Fedora Update System 2017-09-07 12:18:26 UTC
kobo-0.6.0-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0579784f53

Comment 15 Fedora Update System 2017-09-07 14:32:12 UTC
kobo-0.6.0-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-37ed4d4db6

Comment 16 Fedora Update System 2017-09-26 20:52:30 UTC
kobo-0.6.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2017-09-26 23:54:04 UTC
kobo-0.6.0-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-09-27 05:25:47 UTC
kobo-0.6.0-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-09-27 08:18:31 UTC
kobo-0.6.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2017-09-30 06:19:01 UTC
kobo-0.6.0-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.