YDA-5713: restrict access to iRODS anon. account

Add parameter for specifying which remote network addresses can log
in on the iRODS anonymous account. By default, only local access
is allowed.

docker/images/yoda_irods_icat/rules_uu.cfg

@@ -81,6 +81,8 @@ arb_exempt_resources            = ''
 arb_min_gb_free                 = '0'
 arb_min_percent_free            = '0'
 
+remote_anonymous_access         = ''
+
 text_file_extensions            = 'bash csv c cpp csharp css diff fortran gams gauss go graphql ini irpf90 java js json julia julia-repl kotlin less lua makefile markdown md mathematica matlab maxima mizar objectivec openscad perl php php-template plaintext txt python py python-repl r ruby rust sas scilab scss shell sh sql stan stata swift typescript ts vbnet wasm xml yaml html'
 vault_copy_numthreads           = '0'
 

docs/administration/configuring-yoda.md

@@ -197,6 +197,7 @@ irods_rum_job_minute                 | Time to run RUM job - minute (default: 0)
 irods_enable_gocommands              | Whether to install the GoCommands CLI (disabled by default)
 irods_gocommands_version             | GoCommands version
 irods_gocommands_archive_checksum    | MD5 checksum of the GoCommands archive for the version to be installed
+irods_anonymous_account_permit_addresses  | List of network addresses that can log in on the anonymous account using the iRODS protocol. Localhost (127.0.0.1) is always allowed.
 
 ### S3 configuration - for iRODS S3 resource plugin and s3cmd utilities
 

environments/development/full/group_vars/full.yml

@@ -90,6 +90,7 @@ irods_database_fqdn: database.yoda.test    # iRODS database fully qualified doma
 irods_resource_fqdn: resource.yoda.test    # iRODS resource fully qualified domain name (FQDN)
 irods_ssl_verify_server: none              # Verify TLS certificate, use 'cert' for acceptance and production
 irods_enable_gocommands: false
+irods_anonymous_account_permit_addresses: ['192.168.56.10']
 irods_resources:
   - name: dev001_1
     host: "{{ irods_icat_fqdn }}"

environments/development/surf/group_vars/surf.yml

@@ -90,6 +90,7 @@ irods_database_fqdn: portal.surfyoda.test    # iRODS database fully qualified do
 # irods_resource_fqdn: resource.surfyoda.test # iRODS resource fully qualified domain name (FQDN)
 irods_ssl_verify_server: none                # Verify TLS certificate, use 'cert' for acceptance and production
 irods_enable_gocommands: false
+irods_anonymous_account_permit_addresses: ['192.168.56.21']
 irods_resources:
   - name: dev001_1
     host: "{{ yoda_davrods_fqdn }}"

roles/yoda_rulesets/defaults/main.yml

@@ -222,6 +222,8 @@ irods_arb_exempt_resources: ""
 irods_arb_min_gb_free: 0
 irods_arb_min_percent_free: 5
 
+irods_anonymous_account_permit_addresses: []
+
 # Text file extensions configuration
 text_file_extensions: ['bash', 'csv', 'c', 'cpp', 'csharp', 'css', 'diff', 'fortran', 'gams', 'gauss', 'go', 'graphql', 'ini', 'irpf90', 'java', 'js', 'json', 'julia', 'julia-repl', 'kotlin', 'less', 'lua', 'makefile', 'markdown', 'md', 'mathematica', 'matlab', 'maxima', 'mizar', 'objectivec', 'openscad', 'perl', 'php', 'php-template', 'plaintext', 'txt', 'python', 'py', 'python-repl', 'r', 'ruby', 'rust', 'sas', 'scilab', 'scss', 'shell', 'sh', 'sql', 'stan', 'stata', 'swift', 'typescript', 'ts', 'vbnet', 'wasm', 'xml', 'yaml', 'html']
 

roles/yoda_rulesets/templates/rules_uu.cfg.j2

@@ -108,5 +108,7 @@ arb_exempt_resources           = '{{ irods_arb_exempt_resources }}'
 arb_min_gb_free                = '{{ irods_arb_min_gb_free }}'
 arb_min_percent_free           = '{{ irods_arb_min_percent_free }}'
 
+remote_anonymous_access        = '{{ irods_anonymous_account_permit_addresses | join (" ") }}'
+
 text_file_extensions           = '{{ text_file_extensions | join (" ") }}'
 vault_copy_multithread_enabled = '{{ ["false", "true"][yoda_rulesets_vault_copy_multithread_enabled|int] }}'