search

lsst-uk / somerville-operations

User issue reporting and tracking for the Somerville Cloud
0 stars 0 forks source link

Command line API ports need to be open #121

Closed Zarquan closed 8 months ago

Zarquan commented 1 year ago

Reading the wiki page on command line access, it looks like the intention was to allow command line access for external users without requiring them to use the Edinburgh VPN. In which case, you need to open up some additional network ports for inbound traffic.

Port 9000 is open for external access, but Openstack uses a range of additional ports for the different API services.

The full list of API service endpoints for Somerville are listed here: https://somerville.ed.ac.uk/project/api_access/

Zarquan commented 1 year ago

If you want to test it, our project has a list-all script that tries to list all the resources allocated to a project. https://github.com/wfau/gaia-dmp/blob/master/deployments/openstack/bin/list-all.sh

Which gets the following connection errors when run outside the Edinburgh VPN network.

---- ----
Magnum clusters
Unable to establish connection to https://somerville.ed.ac.uk:9511/v1/clusters: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=9511): Max retries exceeded with url: /v1/clusters (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f164e774950>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Nova servers
Failed to contact the endpoint at https://somerville.ed.ac.uk:9292 for discovery. Fallback to using that endpoint as the base url.
Failed to contact the endpoint at https://somerville.ed.ac.uk:9292 for discovery. Fallback to using that endpoint as the base url.
The image service for somerville-jade:RegionOne exists but does not have any supported versions.

---- ----
Cinder volumes
Unable to establish connection to https://somerville.ed.ac.uk:8651/v3/be227fe0300b4ce5b03f44264df615df/volumes/detail: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=8651): Max retries exceeded with url: /v3/be227fe0300b4ce5b03f44264df615df/volumes/detail (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f77209476d0>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Manila shares
HTTPSConnectionPool(host='somerville.ed.ac.uk', port=3205): Max retries exceeded with url: /v2/be227fe0300b4ce5b03f44264df615df/shares/detail (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fadcbb21b10>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Floating addresses
Unable to establish connection to https://somerville.ed.ac.uk:9696/v2.0/floatingips: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=9696): Max retries exceeded with url: /v2.0/floatingips (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f8945899090>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Load balancers
Unable to establish connection to https://somerville.ed.ac.uk:3890/v2.0/lbaas/loadbalancers: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=3890): Max retries exceeded with url: /v2.0/lbaas/loadbalancers (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f91928e6bd0>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Routers
Unable to establish connection to https://somerville.ed.ac.uk:9696/v2.0/routers: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=9696): Max retries exceeded with url: /v2.0/routers (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f475473f890>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Networks
Unable to establish connection to https://somerville.ed.ac.uk:9696/v2.0/networks: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=9696): Max retries exceeded with url: /v2.0/networks (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f26c66565d0>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Subnets
Unable to establish connection to https://somerville.ed.ac.uk:9696/v2.0/subnets: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=9696): Max retries exceeded with url: /v2.0/subnets (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f955986c6d0>: Failed to establish a new connection: [Errno 111] Connection refused'))

---- ----
Security groups
Unable to establish connection to https://somerville.ed.ac.uk:9696/v2.0/security-groups: HTTPSConnectionPool(host='somerville.ed.ac.uk', port=9696): Max retries exceeded with url: /v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f41be1fd510>: Failed to establish a new connection: [Errno 111] Connection refused'))
GregBlow commented 1 year ago

Good afternoon,

As with your other issue, these ports should be accessible, but from a range of addresses on an allowlist, to avoid exposing the API and project instances to the wider internet while allowing remote access. Typically we have added a set of address ranges corresponding to ranges owned by an institution (e.g. VPN).

What are your requirements for access please?

Regards,

Greg

Zarquan commented 1 year ago

What are your requirements for access please?

Public internet access.

Zarquan commented 1 year ago

Allowing the Horizon GUI and only some of the command line API, but not the rest, doesn't make sense. Are different parts of the Openstack API more / less secure than others ? They all use the same authentication mechanism.

Zarquan commented 1 year ago

Could you add 90.155.51.57/32 and 81.187.152.17/28 to the white list please.

astrodb commented 1 year ago

@Zarquan Why do you want fully open access to the API endpoints? Do your users need access to your OpenStack project controls?

Limiting to a subset does make sense as it limits total exposure. Sure, they all share the same authentication mechanism, but they don't all share the same capacity for vulnerabilities/abuse.

Adding your subnets can be done.

Zarquan commented 1 year ago

Our users don't need API access, but as a developer I do. Adding my subnet will solve the problem for me, but if Somerville wants to provide general use cloud for IRIS projects, you will need to add special cases for every department.

Zarquan commented 1 year ago

Either way, you should document all the restrictions you impose and the process projects need to jump through to get access. At the moment your documentation just points to the Openstack CLI documentation, without any caveats. Which implies your cloud is open and easy to use. Just login and go.

Dealing with undocumented firewall issues is using up my time. Time I should be using on more productive things like our RSAP request.

astrodb commented 1 year ago

Fair point, we will update the documentation accordingly.

Zarquan commented 1 year ago

ping ? Any news on adding my addresses to the firewall ?

GregBlow commented 1 year ago

Hello.

Sorry, I thought I responded to this yesterdaty when I also self-assigned and responded to your other ticket (which has the ip address response)

Here are the ports that the somerville API access rule provides:

icmp ssh 3205 3890 6080 6443 8000 8004 8443 8651 8774 8780 9001 9292 9311 9511 9696

Regards,

Greg

Zarquan commented 1 year ago

Public access or are they restricted to white-listed client addresses ?

Zarquan commented 1 year ago

The Horizon web UI and the authentication service on port 5000 are public public.

Zarquan commented 1 year ago

What is the process for getting the other services certified as safe enough for public public.

astrodb commented 1 year ago

Ask us here, and I'll look into it.

What ports/services do you want public?

astrodb commented 8 months ago

No longer needed.