Class: MCollective::Security::Base

This is a base class the other security modules should inherit from it handles statistics and validation of messages that should in most cases apply to all security models.

To create your own security plugin you should provide a plugin that inherits from this and provides the following methods:

decodemsg - Decodes a message that was received from the middleware encodereply - Encodes a reply message to a previous request message encoderequest - Encodes a new request message validrequest? - Validates a request received from the middleware

Optionally if you are identifying users by some other means like certificate name you can provide your own callerid method that can provide the rest of the system with an id, and you would see this id being usable in SimpleRPC authorization methods

The @initiated_by variable will be set to either :client or :node depending on who is using this plugin. This is to help security providers that operate in an asymetric mode like public/private key based systems.

Specifics of each of these are a bit fluid and the interfaces for this is not set in stone yet, specifically the encode methods will be provided with a helper that takes care of encoding the core requirements. The best place to see how security works is by looking at the provided MCollective::Security::PSK plugin.

Methods

callerid create_reply create_request decodemsg encodereply encoderequest inherited new should_process_msg? valid_callerid? validate_filter? validrequest?

Attributes

initiated_by	[RW]
stats	[R]

Public Class methods

inherited(klass)

new()

Initializes configuration and logging as well as prepare a zero‘d hash of stats various security methods and filter validators should increment stats, see MCollective::Security::Psk for a sample

Public Instance methods

callerid()

Returns a unique id for the caller, by default we just use the unix user id, security plugins can provide their own means of doing ids.

create_reply(reqid, agent, body)

create_request(reqid, filter, msg, initiated_by, target_agent, target_collective, ttl=60)

decodemsg(msg)

Security providers should provide this, see MCollective::Security::Psk

encodereply(sender, msg, requestcallerid=nil)

Security providers should provide this, see MCollective::Security::Psk

encoderequest(sender, msg, filter={})

Security providers should provide this, see MCollective::Security::Psk

should_process_msg?(msg, msgid)

Give a MC::Message instance and a message id this will figure out if you the incoming message id matches the one the Message object is expecting and raise if its not

Mostly used by security plugins to figure out if they should do the hard work of decrypting etc messages that would only later on be ignored

valid_callerid?(id)

Validates a callerid. We do not want to allow things like \ and / in callerids since other plugins make assumptions that these are safe strings.

callerids are generally in the form uid=123 or cert=foo etc so we do that here but security plugins could override this for some complex uses

validate_filter?(filter)

Takes a Hash with a filter in it and validates it against host information.

At present this supports filter matches against the following criteria:

puppet_class|cf_class - Presence of a configuration management class in

                        the file configured with classesfile

agent - Presence of a MCollective agent with a supplied name
fact - The value of a fact avout this system
identity - the configured identity of the system

TODO: Support REGEX and/or multiple filter keys to be AND‘d

validrequest?(req)

Security providers should provide this, see MCollective::Security::Psk