Faking mcollective's caller id on client side

asked 2014-06-05 03:59:18 -0500

netkgk gravatar image

Quote from official mcollective's security overview: "The client embeds a caller structure in each request, if RSA decryption pass the rest of the MCollective agents, auditing etc can securely know who initiated a request. This caller is used later during Authorization and Auditing." But callerid could be easily faked by a client just by modifying security plug-in. And because of that it cannot be used for authorization purposes. Is it possible to define callerid only on server side by mapping client's certificate to login name?

edit retag flag offensive close merge delete