Limit system user login

[WalBeh]

Summary of changes

Limit system user login to 10.0.0.0/8.

I assumed that the configuration snippet from below limits the system to login from 10.0.0.0/8 only. But it seems like the 99.method=password spoils my plan!

 82     - -Cauth.host_based.enabled=true
 83     - -Cauth.host_based.config.0.user=crate
 84     - -Cauth.host_based.config.0.address=_local_
 85     - -Cauth.host_based.config.0.method=trust
 86     - -Cauth.host_based.config.1.user=system
 87     - -Cauth.host_based.config.1.address=10.0.0.0/8
 88     - -Cauth.host_based.config.1.method=password
 89     - -Cauth.host_based.config.99.method=password

In can see the real IP of the connection (=external IP) system can still login, due to the setting in line 89 where password login from everywhere is allowed.

Checklist

• Relevant changes are reflected in CHANGES.rst
• Added or changed code is covered by tests
• Documentation has been updated if necessary
• Changed code does not contain any breaking changes (or this is a major version change)

[SStorm]

We should probably make this configurable, since no guarantee that all k8s is using class A subnets? Also people might want to restrict it further, if they use a different subnet mask in their k8s.

[WalBeh]

We should probably make this configurable, since no guarantee that all k8s is using class A subnets? Also people might want to restrict it further, if they use a different subnet mask in their k8s.

configurable as in CRD?

spec.cluster.allowedSystemUserCIDR?

[SStorm]

You don't need this, if the setting is coming from the environment (config.ALLOWED_SYSTEM_USER_CIDR) - we don't need to be able to override it for individual CrateDBs?