1387483 – remove reverse DNS validation in kobo.hub.decorators.validate_worker()

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1387483 - remove reverse DNS validation in kobo.hub.decorators.validate_worker()

Summary: remove reverse DNS validation in kobo.hub.decorators.validate_worker()

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kobo
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Mach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-21 03:14 UTC by Yuxiang Zhu
Modified:	2017-09-30 06:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:	kobo-0.6.0-1.el7 kobo-0.6.0-1.fc26 kobo-0.6.0-1.fc25 kobo-0.6.0-1.el6 kobo-0.6.0-1.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-26 20:52:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Yuxiang Zhu 2016-10-21 03:14:03 UTC

Description of problem:

Current version of Kobo uses socket.getfqdn() which collects the worker's source IP address and look it up in DNS. If the PTR record of that IP address in DNS doesn't match the username it claims, Hub will fail and complain "Worker's FQDN (...) doesn't match username (...)".

I don't think it is a good idea to validate the reverse DNS (PTR record).
1. Unless you are the NS administrator of that IP address or operate your own local NS servers, it is impossible to control the PTR record of an IP address. It is unreliable to use an external DNS.
2. We are able to have multiple domain names that point to the same IP address, but an IP address can only have a single PTR record. It is common to run several services on a single host but you can't match the PTR record with every domain names.
3. It is also impossible to run a worker behind NAT...
4. I believe it is safe enough to allow a worker ti connect with correct credential. 

Version-Release number of selected component (if applicable):
master branch

Comment 1 Kamil Dudka 2016-10-21 08:40:15 UTC

We used an entry in /etc/hosts to work around this.  Not sure if it covers all the cases though...

Comment 2 Yuxiang Zhu 2016-10-21 14:57:28 UTC

Any consideration to remove the validation? It will be very helpful to run Kobo based application on Docker or other cloud computing platform.

This patch may help.

From aa90390785557684e539ab85c68e8446bca5fdc9 Mon Sep 17 00:00:00 2001
From: Rayson zhu <vfreex+git>
Date: Fri, 21 Oct 2016 22:50:26 +0800
Subject: [PATCH] remove reverse DNS validation for Kobo worker

---
 kobo/hub/decorators.py | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/kobo/hub/decorators.py b/kobo/hub/decorators.py
index 2bc64e5..d54bb11 100644
--- a/kobo/hub/decorators.py
+++ b/kobo/hub/decorators.py
@@ -16,11 +16,6 @@ def validate_worker(func):
         if getattr(request, 'worker', None) is None:
             raise SuspiciousOperation("User doesn't match any worker: %s" % request.user.username)
 
-        fqdn = socket.getfqdn(request.META["REMOTE_ADDR"])
-        prefix, hostname = request.user.username.split("/", 1)
-        if hostname != fqdn:
-            raise SuspiciousOperation("Worker's FQDN (%s) doesn't match username (%s)" % (fqdn, hostname))
-
         return func(request, *args, **kwargs)
 
     _new_func.__name__ = func.__name__
-- 
2.7.4

Comment 3 Daniel Mach 2016-10-27 08:01:21 UTC

Fixed upstream: https://github.com/release-engineering/kobo/commit/6d83e409dcf56806b433c10012717b3551c69a4f

Moving to MODIFIED until I build a new kobo build in koji.

Comment 4 Yuxiang Zhu 2016-10-27 09:01:29 UTC

(In reply to Daniel Mach from comment #3)
> Fixed upstream:
> https://github.com/release-engineering/kobo/commit/
> 6d83e409dcf56806b433c10012717b3551c69a4f
> 
> Moving to MODIFIED until I build a new kobo build in koji.

Thank you. That'll be very helpful!

Comment 5 Fedora End Of Life 2017-02-28 10:29:10 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 6 Fedora Update System 2017-09-06 03:54:49 UTC

kobo-0.6.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-37ed4d4db6

Comment 7 Fedora Update System 2017-09-06 03:55:03 UTC

kobo-0.6.0-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0579784f53

Comment 8 Fedora Update System 2017-09-06 03:55:14 UTC

kobo-0.6.0-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b7dcfe861

Comment 9 Fedora Update System 2017-09-06 03:55:24 UTC

kobo-0.6.0-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-57639ea44b

Comment 10 Fedora Update System 2017-09-06 03:55:34 UTC

kobo-0.6.0-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-bc3c16a54f

Comment 11 Fedora Update System 2017-09-06 22:24:03 UTC

kobo-0.6.0-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-bc3c16a54f

Comment 12 Fedora Update System 2017-09-06 22:30:08 UTC

kobo-0.6.0-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b7dcfe861

Comment 13 Fedora Update System 2017-09-06 22:49:06 UTC

kobo-0.6.0-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-57639ea44b

Comment 14 Fedora Update System 2017-09-07 12:18:26 UTC

kobo-0.6.0-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0579784f53

Comment 15 Fedora Update System 2017-09-07 14:32:12 UTC

kobo-0.6.0-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-37ed4d4db6

Comment 16 Fedora Update System 2017-09-26 20:52:30 UTC

kobo-0.6.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2017-09-26 23:54:04 UTC

kobo-0.6.0-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-09-27 05:25:47 UTC

kobo-0.6.0-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-09-27 08:18:31 UTC

kobo-0.6.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2017-09-30 06:19:01 UTC

kobo-0.6.0-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.