Update policy advisor to look for cases where tunneler identity has access to a service but service doesn't have access to router

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti

https://openziti.io

Apache License 2.0

2.3k stars 136 forks source link

Update policy advisor to look for cases where tunneler identity has access to a service but service doesn't have access to router #1366

Open plorenz opened 1 year ago

plorenz commented 1 year ago

You could have a case where a service could have access to an edge router, and the tunneler edge router identity has access to the same edge router, but it won't be able to host because the service doesn't have access to it. The policy advisor won't find this though, b/c they have access to a common edge router.

Alternately we could ignore identities of type router in edge router policies except for the system generate policy.

Should potentially take this into account when creating edge session as well.

qrkourier commented 1 month ago

I also encountered this issue with a tunneler edge router identity (ER/T) acting as a dialing client. The client identity got "failed to dial fabric" because it must use its attached parent router, ignoring the ERP with #all identities.

ERP: #all/#all SERP: #all/#public

The attached, parent router did not match the SERP (lacking #public), so its child client tunneler could not dial the service.