Skip to content

In-zone firewall control agent for Triton and Manta postgres service instances

Notifications You must be signed in to change notification settings

TritonDataCenter/waferlock

Repository files navigation

waferlock

This repository is part of the Triton Data Center and Manta projects. For contribution guidelines, issues, and general documentation, visit the main Triton and Manta project pages.

Waferlock is a node.js process that runs inside a Triton or Manta manatee zone ("manatee" service instances in Triton, "postgres" and "buckets-postgres" service instances in Manta) to limit access to the running postgres to those IPs explicitly allowed access.

The mechanism for access control is PostgreSQL's pg_hba.conf file. (HBA stands for host-based authentication.) Waferlock updates "/manatee/pg/data/pg_hba.conf" with the set of allowed IPs and HUPs postgres when that changes. The set of IPs to allow are monitored (via polling) from two sources:

  1. Waferlock polls SAPI for current instances of configured service names (sapi_services config var in the config template).
  2. Waferlock polls ZK for domain nodes of configured domain names (domains config var in the config template).

The written config file is a base config file plus waferlock-added sections of the form:

# <tags>
host all all <ip> trust
host replication all <ip> trust

where <tags> indicates what SAPI and/or ZK record the IP is from and <ip> is an IPv4 address (in CIDR format, per the PostgreSQL docs). For example:

# sapi:manta:buckets-postgres:eacbcaba-8b5b-4250-967a-8d2cbb7eccba, zk:/us/joyent/nightly/buckets-mdapi/2/eacbcaba-8b5b-4250-967a-8d2cbb7eccba
host  all  all  172.27.2.24/32  trust
host  replication  all  172.27.2.24/32  trust

About

In-zone firewall control agent for Triton and Manta postgres service instances

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published