Skip to content
This repository has been archived by the owner on Nov 14, 2022. It is now read-only.

NFS VolumeMountACL filter #29

Open
gberche-orange opened this issue Jan 26, 2017 · 0 comments
Open

NFS VolumeMountACL filter #29

gberche-orange opened this issue Jan 26, 2017 · 0 comments
Milestone
2.4

Comments

@gberche-orange
Copy link
Member

gberche-orange commented Jan 26, 2017
edited
Loading

As CF operator, in order to control which NFS server can be mounted by service brokers by diego cells, I need to be able to reject some service broker bind responses that against a black list. Note that the CF operator will control which mount options are accepted through cloudfoundry/nfsv3driver#2.

Given the following white list config:

BROKER_FILTER_TRUSTED_VOLUME_MOUNT_SOURCE_REGEXP="nfs://1\.2\.3\.4:25840/my/share/.*"

When the filtered broker binding response is:

{
  
  "credentials": {
      "data_set_version": "2017.01.20.17.11",
     "data_tags":"images,pets,nature"
  },
  "volume_mounts" : [
    {
      "driver": "nfsv3driver",
      "container_dir": "/data/images",
      "mode": "rw",
      "device_type": "shared",
      "device": {
        "volume_id": "bc2c1eab-05b9-482d-b0cf-750ee07de311",
        "mount_config": {
          "source": "nfs://1.2.3.4:25840/my/share/to/mount?uid=1004&gid=1004&auto_cache&multithread&default_permissions",
           "attr_timeout": "0",
           "negative_timeout": "2"
        }
      }
    }
  ]
}

Then the same binding response is returned to the cloudcontroller

When the filtered broker binding response is:

{
  
  "credentials": {
      "data_set_version": "2017.01.20.17.11",
     "data_tags":"images,pets,nature"
  },
  "volume_mounts" : [
    {
      "driver": "nfsv3driver",
      "container_dir": "/data/images",
      "mode": "rw",
      "device_type": "shared",
      "device": {
        "volume_id": "bc2c1eab-05b9-482d-b0cf-750ee07de311",
        "mount_config": {
          "source": "nfs://1.2.3.4:25840/my/share/to/mount?uid=1004&gid=1004&auto_cache&multithread&default_permissions",
           "attr_timeout": "0",
           "negative_timeout": "2"
        }
      }
    }
  ]
}

Then a reponse with a 403 HTTP status code is returned with the following compliant response body:

{
  "description": "The broker provider volume group was rejected by the security group filter. Please ask the Cf operator to check sec-group-filter log for detailed regexp non match ."
}

Note that uid/gid options outside of the mount url would be disabled through the use of
nfsv3driver.allowed-in-mount with would not include nfs_uid,nfs_gid
https://github.com/cloudfoundry-incubator/nfs-volume-release/blob/5628a0241d937a796807f6a5c76031640ff6d0ed/jobs/nfsv3driver/spec#L39-L42

/CC @smaillan @nabbar @f-guichard @allamand @s-bortolussi
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.4
Development

No branches or pull requests
1 participant
@gberche-orange