Details
-
New Feature
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
-
MXS-SPRINT-196, MXS-SPRINT-197, MXS-SPRINT-198, MXS-SPRINT-199
Description
Add settings admin_readwrite_hosts and admin_readonly_hosts which limit the hostnames/IPs from which admin (REST-API) clients can log in from.
Original description:
As per the security reasons, we want to restrict the --type=admin users remotely only to the specific ips and we want to restrict only the admin users only as we don't want to run any admin commands by mistakenly.
Can you please implement the maxscale users to restrict to local host or specific host only like mariadb? the restriction should work for GUI too, if we restrict admin user localhost then it should not login through GUI as well.
and also can we change the parameter to allow multiple values with comma separated?
admin_host = localhost,192,169.101.10, testmax102
EX1: admin user should access only localhost like mariadb root localhost.
EX2: if user test_admin_user has --type=admin then it should restrict to specific ip's like test_admin_user@'192.168.101.1', test_admin_user@'192.168.101.2' and test_admin_user@'192.168.101.3' then the user should only work from these ip's only like mariadb, how we restrict to only specific server IP's.
EX3: if user test_read_only user has --type=basic, as its a read only user then the user can work from any where like mariadb test_read_only@'%' access.
NOTE: We don't need to change anything for AD user(PAM USER). Please keep as it is for AD, there wont be any changes required for AD user. anyhow that we will restrict using "admin_pam_readonly_service" option in the maxscale.conf file. so it will be act as a read only for all the PAM users.