You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by di...@apache.org on 2020/11/20 04:15:07 UTC

[airavata] 01/01: Updating firewall rules to restrict services to subnets

This is an automated email from the ASF dual-hosted git repository.

dimuthuupe pushed a commit to branch firewall-fixes
in repository https://gitbox.apache.org/repos/asf/airavata.git

commit cce58999ba6ecf40c48e1b5ec16a2c9ecad2a16d
Author: Dimuthu Wannipurage <di...@gmail.com>
AuthorDate: Thu Nov 19 23:11:15 2020 -0500

    Updating firewall rules to restrict services to subnets
---
 .../scigap/develop/group_vars/all/vars.yml         | 24 ++++++++++
 dev-tools/ansible/inventories/scigap/develop/hosts |  2 +-
 dev-tools/ansible/roles/api-orch/tasks/main.yml    | 52 ++++++++++++++++++----
 dev-tools/ansible/roles/database/tasks/main.yml    | 13 ++++--
 dev-tools/ansible/roles/env_setup/tasks/main.yml   |  8 ++++
 dev-tools/ansible/roles/kafka/tasks/main.yml       | 21 ++++++---
 dev-tools/ansible/roles/rabbitmq/tasks/main.yml    | 21 +++++++--
 dev-tools/ansible/roles/zookeeper/tasks/main.yml   |  8 +++-
 8 files changed, 125 insertions(+), 24 deletions(-)

diff --git a/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml b/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml
index be0741e..aef6f0d 100644
--- a/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml
+++ b/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml
@@ -181,3 +181,27 @@ thrift_client_pool_abandoned_removal_enabled: true
 thrift_client_pool_abandoned_removal_logged: true
 
 usage_reporting_key: "{{ vault_usage_reporting_key }}"
+
+# Subnet definitions
+iu_subnets:
+  - "149.163.0.0/16"
+  - "140.182.0.0/16"
+  - "149.165.0.0/16"
+  - "192.68.133.0/24"
+  - "192.12.206.0/24"
+  - "149.159.0.0/16"
+  - "156.56.0.0/16"
+  - "149.161.0.0/16"
+  - "149.160.0.0/16"
+  - "149.166.0.0/16"
+  - "134.68.0.0/16"
+  - "129.79.0.0/16"
+
+zk_subnets: "{{ iu_subnets }}"
+kafka_subnets: "{{ iu_subnets }}"
+sharing_subnets: "{{ iu_subnets }}"
+registry_subnets: "{{ iu_subnets }}"
+credential_store_subnets: "{{ iu_subnets }}"
+rabbitmq_subnets: "{{ iu_subnets }}"
+db_subnets: "{{ iu_subnets }}"
+zabbix_subnets: "{{ iu_subnets }}"
\ No newline at end of file
diff --git a/dev-tools/ansible/inventories/scigap/develop/hosts b/dev-tools/ansible/inventories/scigap/develop/hosts
index 9184ea6..6e96fe7 100644
--- a/dev-tools/ansible/inventories/scigap/develop/hosts
+++ b/dev-tools/ansible/inventories/scigap/develop/hosts
@@ -2,7 +2,7 @@
 # inventory file : scigap develop deployment
 
 [zookeeper]
-149.165.156.195
+149.165.157.37
 
 [rabbitmq]
 149.165.156.195
diff --git a/dev-tools/ansible/roles/api-orch/tasks/main.yml b/dev-tools/ansible/roles/api-orch/tasks/main.yml
index a81449d..8692c19 100644
--- a/dev-tools/ansible/roles/api-orch/tasks/main.yml
+++ b/dev-tools/ansible/roles/api-orch/tasks/main.yml
@@ -81,16 +81,50 @@
           owner={{ user }}
           group={{ group }}
 
-- name: Open firwall ports
-  firewalld: port={{ item }} zone=public permanent=true state=enabled immediate=yes
+- name: allow only selected networks to access Airavata Sharing Registry
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ sharing_registry_port }}" protocol=tcp accept
   with_items:
-    - "{{ api_server_port }}/tcp"
-    - "{{ api_server_tls_port }}/tcp"
-    - "{{ orchestrator_port }}/tcp"
-    - "{{ cred_store_port }}/tcp"
-    - "{{ registry_port }}/tcp"
-    - "{{ profile_service_port }}/tcp"
-    - "{{ sharing_registry_port }}/tcp"
+    - "{{ sharing_subnets }}"
+  become_user: root
+
+- name: allow only selected networks to access Airavata Registry
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ registry_port }}" protocol=tcp accept
+  with_items:
+    - "{{ registry_subnets }}"
+  become_user: root
+
+- name: allow only selected networks to access Airavata Credential Store
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ cred_store_port }}" protocol=tcp accept
+  with_items:
+    - "{{ credential_store_subnets }}"
+  become_user: root
+
+- name: allow all networks to access Airavata API Server over TLS
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    port: "{{ api_server_tls_port }}/tcp"
+  become_user: root
+
+- name: allow all networks to access Airavata Profile service
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    port: "{{ profile_service_port }}/tcp"
   become_user: root
 
 - name: Install api-orch systemd script
diff --git a/dev-tools/ansible/roles/database/tasks/main.yml b/dev-tools/ansible/roles/database/tasks/main.yml
index 775d405..a0b5016 100644
--- a/dev-tools/ansible/roles/database/tasks/main.yml
+++ b/dev-tools/ansible/roles/database/tasks/main.yml
@@ -142,7 +142,12 @@
 - include: keycloak.yml
   when: "'keycloak' in groups"
 
-- name: open firewall port {{ db_server_port }}
-  firewalld: port="{{ db_server_port }}/tcp"
-             zone=public permanent=true state=enabled immediate=yes
-  become_user: root
+- name: allow only selected networks to access DB
+    firewalld:
+      zone: public
+      permanent: yes
+      state: enabled
+      rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ db_server_port }}" protocol=tcp accept
+    with_items:
+      - "{{ db_subnets }}"
+    become_user: root
diff --git a/dev-tools/ansible/roles/env_setup/tasks/main.yml b/dev-tools/ansible/roles/env_setup/tasks/main.yml
index 38abc04..5123fa8 100644
--- a/dev-tools/ansible/roles/env_setup/tasks/main.yml
+++ b/dev-tools/ansible/roles/env_setup/tasks/main.yml
@@ -70,4 +70,12 @@
   command: firewall-cmd --zone=public --permanent --add-port=22/tcp
   become: yes
   when: ansible_os_family == "Debian"
+
+- name: allow all networks to access zabbix
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    port: 10050/tcp
+  become: yes
 ...
diff --git a/dev-tools/ansible/roles/kafka/tasks/main.yml b/dev-tools/ansible/roles/kafka/tasks/main.yml
index f758b6f..45f406c 100644
--- a/dev-tools/ansible/roles/kafka/tasks/main.yml
+++ b/dev-tools/ansible/roles/kafka/tasks/main.yml
@@ -69,12 +69,23 @@
   notify: restart kafka-rest-proxy
   become: yes
 
-# Open kafka port to be accessible from outside
-- name: Open firwall ports
-  firewalld: port={{ item }} zone=public permanent=true state=enabled immediate=yes
+- name: open kafka port
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    rich_rule: rule family=ipv4 source address="{{ item }}" port port={{ kafka_listener_port }} protocol=tcp accept
   with_items:
-    - "{{ kafka_listener_port }}/tcp"
-    - "{{ kafka_rest_proxy_listener_port }}/tcp"
+    - "{{ kafka_subnets }}"
+  become: yes
+
+- name: open kafka rest proxy port
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    port: "{{ kafka_rest_proxy_listener_port }}/tcp"
+    immediate: yes
   become: yes
 
 - name: systemd install kafka service script
diff --git a/dev-tools/ansible/roles/rabbitmq/tasks/main.yml b/dev-tools/ansible/roles/rabbitmq/tasks/main.yml
index d71ffaa..05cbd52 100644
--- a/dev-tools/ansible/roles/rabbitmq/tasks/main.yml
+++ b/dev-tools/ansible/roles/rabbitmq/tasks/main.yml
@@ -29,11 +29,24 @@
   yum: name=https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.3/rabbitmq-server-3.6.3-1.noarch.rpm state=present
   become: yes
 
-- name: open rabbitmq ports
-  firewalld: port={{ item }} zone=public permanent=true state=enabled immediate=yes
+- name: allow only selected networks to access Airavata RabbitMQ
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ rabbitmq_port }}" protocol=tcp accept
   with_items:
-    - "{{ rabbitmq_port }}/tcp"
-    - "{{ management_plugin_port }}/tcp"
+    - "{{ rabbitmq_subnets }}"
+  become: yes
+
+- name: allow only selected networks to access Airavata RabbitMQ Management Console
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ management_plugin_port }}" protocol=tcp accept
+  with_items:
+    - "{{ rabbitmq_subnets }}"
   become: yes
 
 - name: Edit /etc/hosts file
diff --git a/dev-tools/ansible/roles/zookeeper/tasks/main.yml b/dev-tools/ansible/roles/zookeeper/tasks/main.yml
index 2d2c303..728eca1 100644
--- a/dev-tools/ansible/roles/zookeeper/tasks/main.yml
+++ b/dev-tools/ansible/roles/zookeeper/tasks/main.yml
@@ -30,7 +30,13 @@
   become: yes
 
 - name: open zookeeper port
-  firewalld: port=2181/tcp zone=public permanent=true state=enabled immediate=yes
+  firewalld:
+    zone: public
+    permanent: yes
+    state: enabled
+    rich_rule: rule family=ipv4 source address="{{ item }}" port port=2181 protocol=tcp accept
+  with_items:
+    - "{{ zk_subnets }}"
   become: yes
 
 - name: Copy zoo.cfg file