As you already know, service (for example sshSSH, ftpFTP, web server) is assigned to the destination in system Perun by the Facility manager. Destination The destination is a target , where a configuration of service is propagated. There are several types of destination, for example email e-mail (new configuration is send sent to the given email e-mail address), but in your case, we use type HOST (new configuration is send sent directly to the machine). When the destination accepts the configuration, pre-installed scripts are run on at the destination to make all necessary changes. For better insight, see figure Propagation workflow.
Perun does not send only configuration from the facility to the machine, but this configuration also contains data about "destination" (hostname of machine receiving configuration from Perun) and "facility" (facility for which configuration is built). These attributes are further important for the machine to distinguish whether to accept configuration or not.
Facility manager (for example manager of facility facility carach.ics.muni.cz serving serving as cloud frontend) can assign as destination machine's name (for example example carach1.ics.muni.cz) or alias (for example example cloud-frontend.ics.muni.cz) or its IP address in Perun. The last two possibilities (alias, IP) could cause problems because the manager can insert an alias or IP out of the scope of his rights. As
For example, the evil facility manager of of skirit.ics.muni.cz can can assign as destination alias alias cloud-frontend.ics.muni.cz as as a destination for some service, despite the fact that even though he is not the manager of the machine with alias alias cloud-frontend.ics.muni.cz. The machine is registered in the Perun, but its alias is not present.
Because the evil facility manager assigned as the destination alias, which is not in the system, the inner control mechanism can not avert this attempt to at fraud behavior. The inner control mechanism will be further described later on in the text.
Since the evil facility manager saved this settings, machine machine carach.ics.muni.cz. with alias alias cloud-frontend.ics.muni.cz will will receive configuration from facility facility skirit.ics.muni.cz which which is under full control of the evil manager.
Perun has an inner system of control whether the facility manager has the right to assign service to a destination. It covers situation situations when an assigned value is stored in the Perun database. Inner
The inner control mechanism consists of the following rules: The facility manager can add the name of a new destination (or host) to a service if and only if
There is no host and no destination with the name in the system.
There is a destination or host connected with the facility, where the manager is the facility manager.
...
The inner control mechanism does not cover the situation when the facility manager assign assigns the value of the destination out of Perun coverage (for example new alias of destination). To avoid potentially fraudulent behavior, the destination accepts configuration where the value of attribute "destination" equals to the result of command `hostname -f` as default. To change default settings, the destination (host) manager must fill variables DNS_ALIAS_WHITELIST or FACILITY_WHITELIST with values (IPs, aliases, destination's name). These values are then compared with attributes "destination" and "facility" delivered with the new configuration.
These variables are set in: /opt/perun/bin/perun or in /etc/perunv3.conf:
...
DNS_ALIAS_WHITELIST accepts both IP addresses and aliases (only one value is enough for one machine), values are separated by space.
For example DNS_ALIAS_WHITELIST = (86.49.81.84 cloud-frontend.ics.muni.cz) FACILITY_WHITELIST accepts facility names (as are named in Perun), the values are separated by space. For example FACILITY_WHITELIST=(carach.ics.muni.cz)
To allow the service propagation, both whitelists are checked and match matched in only one whitelist is enough to accept the configuration.
...