You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by di...@apache.org on 2020/11/20 04:15:07 UTC
[airavata] 01/01: Updating firewall rules to restrict services to
subnets
This is an automated email from the ASF dual-hosted git repository.
dimuthuupe pushed a commit to branch firewall-fixes
in repository https://gitbox.apache.org/repos/asf/airavata.git
commit cce58999ba6ecf40c48e1b5ec16a2c9ecad2a16d
Author: Dimuthu Wannipurage <di...@gmail.com>
AuthorDate: Thu Nov 19 23:11:15 2020 -0500
Updating firewall rules to restrict services to subnets
---
.../scigap/develop/group_vars/all/vars.yml | 24 ++++++++++
dev-tools/ansible/inventories/scigap/develop/hosts | 2 +-
dev-tools/ansible/roles/api-orch/tasks/main.yml | 52 ++++++++++++++++++----
dev-tools/ansible/roles/database/tasks/main.yml | 13 ++++--
dev-tools/ansible/roles/env_setup/tasks/main.yml | 8 ++++
dev-tools/ansible/roles/kafka/tasks/main.yml | 21 ++++++---
dev-tools/ansible/roles/rabbitmq/tasks/main.yml | 21 +++++++--
dev-tools/ansible/roles/zookeeper/tasks/main.yml | 8 +++-
8 files changed, 125 insertions(+), 24 deletions(-)
diff --git a/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml b/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml
index be0741e..aef6f0d 100644
--- a/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml
+++ b/dev-tools/ansible/inventories/scigap/develop/group_vars/all/vars.yml
@@ -181,3 +181,27 @@ thrift_client_pool_abandoned_removal_enabled: true
thrift_client_pool_abandoned_removal_logged: true
usage_reporting_key: "{{ vault_usage_reporting_key }}"
+
+# Subnet definitions
+iu_subnets:
+ - "149.163.0.0/16"
+ - "140.182.0.0/16"
+ - "149.165.0.0/16"
+ - "192.68.133.0/24"
+ - "192.12.206.0/24"
+ - "149.159.0.0/16"
+ - "156.56.0.0/16"
+ - "149.161.0.0/16"
+ - "149.160.0.0/16"
+ - "149.166.0.0/16"
+ - "134.68.0.0/16"
+ - "129.79.0.0/16"
+
+zk_subnets: "{{ iu_subnets }}"
+kafka_subnets: "{{ iu_subnets }}"
+sharing_subnets: "{{ iu_subnets }}"
+registry_subnets: "{{ iu_subnets }}"
+credential_store_subnets: "{{ iu_subnets }}"
+rabbitmq_subnets: "{{ iu_subnets }}"
+db_subnets: "{{ iu_subnets }}"
+zabbix_subnets: "{{ iu_subnets }}"
\ No newline at end of file
diff --git a/dev-tools/ansible/inventories/scigap/develop/hosts b/dev-tools/ansible/inventories/scigap/develop/hosts
index 9184ea6..6e96fe7 100644
--- a/dev-tools/ansible/inventories/scigap/develop/hosts
+++ b/dev-tools/ansible/inventories/scigap/develop/hosts
@@ -2,7 +2,7 @@
# inventory file : scigap develop deployment
[zookeeper]
-149.165.156.195
+149.165.157.37
[rabbitmq]
149.165.156.195
diff --git a/dev-tools/ansible/roles/api-orch/tasks/main.yml b/dev-tools/ansible/roles/api-orch/tasks/main.yml
index a81449d..8692c19 100644
--- a/dev-tools/ansible/roles/api-orch/tasks/main.yml
+++ b/dev-tools/ansible/roles/api-orch/tasks/main.yml
@@ -81,16 +81,50 @@
owner={{ user }}
group={{ group }}
-- name: Open firwall ports
- firewalld: port={{ item }} zone=public permanent=true state=enabled immediate=yes
+- name: allow only selected networks to access Airavata Sharing Registry
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ sharing_registry_port }}" protocol=tcp accept
with_items:
- - "{{ api_server_port }}/tcp"
- - "{{ api_server_tls_port }}/tcp"
- - "{{ orchestrator_port }}/tcp"
- - "{{ cred_store_port }}/tcp"
- - "{{ registry_port }}/tcp"
- - "{{ profile_service_port }}/tcp"
- - "{{ sharing_registry_port }}/tcp"
+ - "{{ sharing_subnets }}"
+ become_user: root
+
+- name: allow only selected networks to access Airavata Registry
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ registry_port }}" protocol=tcp accept
+ with_items:
+ - "{{ registry_subnets }}"
+ become_user: root
+
+- name: allow only selected networks to access Airavata Credential Store
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ cred_store_port }}" protocol=tcp accept
+ with_items:
+ - "{{ credential_store_subnets }}"
+ become_user: root
+
+- name: allow all networks to access Airavata API Server over TLS
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ port: "{{ api_server_tls_port }}/tcp"
+ become_user: root
+
+- name: allow all networks to access Airavata Profile service
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ port: "{{ profile_service_port }}/tcp"
become_user: root
- name: Install api-orch systemd script
diff --git a/dev-tools/ansible/roles/database/tasks/main.yml b/dev-tools/ansible/roles/database/tasks/main.yml
index 775d405..a0b5016 100644
--- a/dev-tools/ansible/roles/database/tasks/main.yml
+++ b/dev-tools/ansible/roles/database/tasks/main.yml
@@ -142,7 +142,12 @@
- include: keycloak.yml
when: "'keycloak' in groups"
-- name: open firewall port {{ db_server_port }}
- firewalld: port="{{ db_server_port }}/tcp"
- zone=public permanent=true state=enabled immediate=yes
- become_user: root
+- name: allow only selected networks to access DB
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ db_server_port }}" protocol=tcp accept
+ with_items:
+ - "{{ db_subnets }}"
+ become_user: root
diff --git a/dev-tools/ansible/roles/env_setup/tasks/main.yml b/dev-tools/ansible/roles/env_setup/tasks/main.yml
index 38abc04..5123fa8 100644
--- a/dev-tools/ansible/roles/env_setup/tasks/main.yml
+++ b/dev-tools/ansible/roles/env_setup/tasks/main.yml
@@ -70,4 +70,12 @@
command: firewall-cmd --zone=public --permanent --add-port=22/tcp
become: yes
when: ansible_os_family == "Debian"
+
+- name: allow all networks to access zabbix
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ port: 10050/tcp
+ become: yes
...
diff --git a/dev-tools/ansible/roles/kafka/tasks/main.yml b/dev-tools/ansible/roles/kafka/tasks/main.yml
index f758b6f..45f406c 100644
--- a/dev-tools/ansible/roles/kafka/tasks/main.yml
+++ b/dev-tools/ansible/roles/kafka/tasks/main.yml
@@ -69,12 +69,23 @@
notify: restart kafka-rest-proxy
become: yes
-# Open kafka port to be accessible from outside
-- name: Open firwall ports
- firewalld: port={{ item }} zone=public permanent=true state=enabled immediate=yes
+- name: open kafka port
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port={{ kafka_listener_port }} protocol=tcp accept
with_items:
- - "{{ kafka_listener_port }}/tcp"
- - "{{ kafka_rest_proxy_listener_port }}/tcp"
+ - "{{ kafka_subnets }}"
+ become: yes
+
+- name: open kafka rest proxy port
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ port: "{{ kafka_rest_proxy_listener_port }}/tcp"
+ immediate: yes
become: yes
- name: systemd install kafka service script
diff --git a/dev-tools/ansible/roles/rabbitmq/tasks/main.yml b/dev-tools/ansible/roles/rabbitmq/tasks/main.yml
index d71ffaa..05cbd52 100644
--- a/dev-tools/ansible/roles/rabbitmq/tasks/main.yml
+++ b/dev-tools/ansible/roles/rabbitmq/tasks/main.yml
@@ -29,11 +29,24 @@
yum: name=https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.3/rabbitmq-server-3.6.3-1.noarch.rpm state=present
become: yes
-- name: open rabbitmq ports
- firewalld: port={{ item }} zone=public permanent=true state=enabled immediate=yes
+- name: allow only selected networks to access Airavata RabbitMQ
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ rabbitmq_port }}" protocol=tcp accept
with_items:
- - "{{ rabbitmq_port }}/tcp"
- - "{{ management_plugin_port }}/tcp"
+ - "{{ rabbitmq_subnets }}"
+ become: yes
+
+- name: allow only selected networks to access Airavata RabbitMQ Management Console
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ management_plugin_port }}" protocol=tcp accept
+ with_items:
+ - "{{ rabbitmq_subnets }}"
become: yes
- name: Edit /etc/hosts file
diff --git a/dev-tools/ansible/roles/zookeeper/tasks/main.yml b/dev-tools/ansible/roles/zookeeper/tasks/main.yml
index 2d2c303..728eca1 100644
--- a/dev-tools/ansible/roles/zookeeper/tasks/main.yml
+++ b/dev-tools/ansible/roles/zookeeper/tasks/main.yml
@@ -30,7 +30,13 @@
become: yes
- name: open zookeeper port
- firewalld: port=2181/tcp zone=public permanent=true state=enabled immediate=yes
+ firewalld:
+ zone: public
+ permanent: yes
+ state: enabled
+ rich_rule: rule family=ipv4 source address="{{ item }}" port port=2181 protocol=tcp accept
+ with_items:
+ - "{{ zk_subnets }}"
become: yes
- name: Copy zoo.cfg file