HopsX509Authenticator should not do a reverse DNS lookup since service discovery

Description

HopsX509Authenticator is authenticating incoming RPCs based on their x.509 certificate. X.509 certificate for system superusers in their CN field have the FQDN of the host. When it comes to checking if a super user can be authenticated we make a reverse DNS lookup for the IP that has initiated the connection and it should match the content of the CN - the FQDN.

Since service discovery this is authentication mechanism won't work as an rDNS can return both the FQDN of the host or the domain name assigned by the service discovery system (Consul) randomly. If it's the latter that's returned then the connection will be falsely dropped.

Assignee

Antonios Kouzoupis

Reporter

Antonios Kouzoupis

Labels

None

Fix versions

Affects versions

Priority

High
Configure