Add application-level per-realm firewall configuration #644
Conversation
google-cla
bot
added
the
cla: yes
|
/hold I think this is dangerous for api server - that’s intended to be accessed by mobile devices |
sethvargo
force-pushed
the
sethvargo/firewall
branch
from
5341046
to
eb367fd
Compare
|
I wrote the help text to strongly discourage people from enabling the firewall against the apiserver, but I do think there's a legit use case where someone running their own server might want to do so. For example, they might be running a staging server and want to restrict devices on a particular subnet from uploading to it. One could argue they should add that protection at another layer, but I do see the use case. |
|
@sethvargo i believe it had to be on a different layer as well , where logging will be normally available in case the wrong CIDR block is added there will be no way to trace or debug. |
sethvargo
force-pushed
the
sethvargo/firewall
branch
from
eb367fd
to
221584b
Compare
|
@sherifkozman the logs will include a message if a request is blocked due to the IP. It won't tell you which IP, but you can correlate it to timestamps. This can't be higher in the stack because it's a realm-level configuration, and users can be a member of multiple realms. For example, Jacky might be able to access realm1 from anywhere, but can only access realm2 from a corporate IP subnet. |
|
@mikehelmick PTAnotherL |
👁️ looking |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mikehelmick, sethvargo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This adds per-realm firewall settings (by allowed CIDR blocks) for the adminapi, apiserver, and main server.
Release Note
/assign @mikehelmick