Comments (3)
john-osullivan
commented on June 8, 2024
Current Policy gives everyone access everywhere. Afterwards:
addresses,makers,validators,observers,bootnodes/addressesshould bereadaccess for all nodes.writeaccess for the owners.broadcast_role_infois where quorum writes the node address to Vault
keys,passwords,bootnodes/keys,bootnodes/passwordsare private data, only accessible by the owner. Full RWU access for owners, nothing elsewhere- File which assigns policies: generate-setup-vault, actual line
- Right now we make one IAM role per region that has nodes. That breaks down because nodes are being identified by that IAM Role, and we need diff nodes to have diff identities. Instead create one IAM role for each node -- from AWS's view, they all act the same and should have the same policy, but we need them to be distinguishable from Vault.
- Script calling generate-setup-vault
from terraform-aws-quorum-cluster.
john-osullivan
commented on June 8, 2024
This is my second priority after the bootnode replacement issue, but I'll be working on it when things are building over there. Work on this issue will be going on the narrow-vault-policies branch of my fork.
from terraform-aws-quorum-cluster.
john-osullivan
commented on June 8, 2024
First draft of the fix on this is in!
from terraform-aws-quorum-cluster.
Related Issues (20)
- Validate Blocks by Region
- Flesh Out Resource Tagging HOT 1
- Reduce Threatstack alerts to manageable levels HOT 1
- How to update consensus mechanisms to use RAFT or ISTANBUL HOT 1
- Enable passwords for constellation keys HOT 3
- Change terraform boolean variables to use "true" & "false"
- Regionalize Backup Procedure HOT 2
- Mechanism to provide more detail when alarms trigger HOT 10
- ftp.gnu.org is broken HOT 1
- Tighten security group parameters on vault
- Integrate FoxPass SSH Key Management
- Fix vim vulnerabilities
- Look into scoping credentials
- Set up emergency access for vault via Okta
- Build out basic alarms HOT 2
- Disable Constellation on Mainnet HOT 1
- Add Elastic IPs to Observers (Optionally) HOT 1
- Mechanism to remove a single node HOT 1
- Investigate instance type mismatch
- Keep EBS volumes during deployment
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-quorum-cluster.