Actions
action #176241
open[spike][timeboxed:10h] Only allow unauthorized asset access on OSD based on network interface size:S
Status:
Workable
Priority:
Low
Assignee:
-
Category:
Feature requests
Target version:
Start date:
Due date:
% Done:
0%
Estimated time:
Description
Motivation¶
As discussed in #175902 there are certain use cases where unauthorized, unencrypted asset access is necessary, e.g.
- http://openqa.suse.de/assets/iso/agama-installer.s390x-11.0.0-SLE-Build3.7.iso
- http://openqa.suse.de/assets/repo/SLE-15-SP7-Product-SLES-POOL-x86_64-Build56.1-Media1/
- http://openqa.suse.de/assets/repo/SLE-15-SP7-Product-SLES-POOL-x86_64-Build56.1-Media1/
- (http,10.145.10.207)/assets/repo/SLE-15-SP7-Online-ppc64le-Build56.1-Media1/boot/ppc64le/linux
if it turns out we can't or mustn't allow complete unauthenticated access to /iso/ or /repo/ then we could look into the approach to use a dedicated network interface for zone-cc traffic and other traffic, e.g. OSD openQA workers from NUE2. Then we can have separate nginx instances listening on the corresponding server IP addresses of separate interfaces with differing config, i.e. allow unauthenticated traffic within zone-cc but only authenticated traffic from and to other zones
Acceptance Criteria¶
- AC1: We know how to configure NGINX to allow/disallow unauthorized assets downloads by network interface.
Suggestions¶
Updated by okurz about 1 month ago
- Copied from action #175902: Enable prevention of unauthorized asset downloads on OSD size:S added
Updated by okurz about 1 month ago
- Related to action #176670: Allow-list for OSD asset download added
Actions