[#3477] First attempt

Author: fxdupont

doc/sphinx/arm/agent.rst

@@ -37,6 +37,12 @@ The CA processes received commands according to the following algorithm:
 -  If the service is not specified or is an empty list, handle the
    command if the CA supports it.
 
+.. note::
+
+   The CA will be deprecated by a future Kea release: its function has
+   been moved to Kea servers since release 2.7.2, see the section about
+   migration from CA (:ref:`ctrl-channel-migration`).
+
 .. _agent-configuration:
 
 Configuration
@@ -131,8 +137,8 @@ configuration above, the CA connects to the DHCPv4 server via
 Obviously, the DHCPv4 server must be configured to listen to connections
 via this same socket. In other words, the command-socket configuration
 for the DHCPv4 server and the CA (for that server) must match. Consult
-:ref:`dhcp4-ctrl-channel`, :ref:`dhcp6-ctrl-channel`, and
-:ref:`d2-ctrl-channel` to learn how the socket configuration is
+:ref:`dhcp4-unix-ctrl-channel`, :ref:`dhcp6-unix-ctrl-channel`, and
+:ref:`d2-unix-ctrl-channel` to learn how the UNIX socket configuration is
 specified for the DHCPv4, DHCPv6, and D2 services.
 
 User contexts can store arbitrary data as long as they are in valid JSON

doc/sphinx/arm/ctrl-channel.rst

@@ -21,7 +21,8 @@ status.
 
 The DHCPv4, DHCPv6, and D2 servers receive commands over the UNIX domain
 sockets. For details on how to configure these sockets, see
-:ref:`dhcp4-ctrl-channel` and :ref:`dhcp6-ctrl-channel`. While
+:ref:`dhcp4-unix-ctrl-channel`, :ref:`dhcp6-unix-ctrl-channel` and
+:ref:`d2-unix-ctrl-channel`. While
 it is possible to control the servers directly using UNIX domain sockets,
 that requires that the controlling client be running on the same machine
 as the server. SSH is usually used to connect remotely to the controlled
@@ -920,3 +921,39 @@ commands are handled by the CA and they relate to the CA process itself:
 -  :isccmd:`status-get`
 
 -  :isccmd:`version-get`
+
+.. _ctrl-channel-migration:
+
+Migration from the Control Agent
+================================
+
+Since Kea version 2.7.2 DHCP servers support HTTP/HTTPS control channels
+so the Control Agent (CA) is no longer needed.
+
+The DHCPv4, DHCPv6, and D2 servers extend the ``control-socket`` entry
+to ``control-sockets`` list. To migrate a CA configuration add an element
+to this list with:
+
+-  ``socket-type`` set to ``http`` or ``https``
+
+-  ``socket-address`` with the content of CA ``http-host``
+
+-  ``socket-port`` with the content of CA ``http-port``
+
+-  ``trust-anchor`` (unchanged)
+
+-  ``cert-file`` (unchanged)
+
+-  ``key-file`` (unchanged)
+
+-  ``cert-required`` (unchanged)
+
+-  ``authentication`` (unchanged)
+
+User context is supported too. Please look at respective HTTP control socket
+sections for defaults and other details (beware that two servers must use
+different address / port pairs): :ref:`dhcp4-http-ctrl-channel`,
+:ref:`dhcp6-http-ctrl-channel` and :ref:`d2-http-ctrl-channel`
+
+For compatibility the JSON result of these HTTP/HTTPS control sockets is
+still encapsulated into a list.

doc/sphinx/arm/ddns.rst

@@ -217,7 +217,7 @@ which is described below:
 -  *Global Server Parameters* - define values which control connectivity and
    global server behavior.
 
--  *Control Socket* - defines the Control Socket type and name.
+-  *Control Sockets* - defines the Control Socket list.
 
 -  *TSIG Key Info* - defines the TSIG keys used for secure traffic with
    DNS servers.
@@ -274,28 +274,44 @@ illustrates how to change D2's global parameters so it will listen at
    If the ``ip-address`` and ``port`` are changed, the corresponding values in
    the DHCP servers' ``dhcp-ddns`` configuration section must be changed.
 
-.. _d2-ctrl-channel:
+.. _d2-ctrl-channels:
 
 Management API for the D2 Server
 --------------------------------
 
 The management API allows the issuing of specific management commands,
 such as configuration retrieval or shutdown. For more details, see
-:ref:`ctrl-channel`. Currently, the only supported communication
-channel type is the UNIX stream socket. By default there are no sockets
+:ref:`ctrl-channel`. By default there are no sockets
 open; to instruct Kea to open a socket, the following entry in the
 configuration file can be used:
 
 ::
 
    "DhcpDdns": {
-       "control-socket": {
-           "socket-type": "unix",
-           "socket-name": "/path/to/the/unix/socket"
-       },
+       "control-sockets": [
+           {
+               "socket-type": "unix",
+               "socket-name": "/path/to/the/unix/socket"
+           }
+       ],
        ...
    }
 
+.. note:
+
+   For backward compatibility the ``control-socket`` keyword is still
+   recognized by Kea version newer than 2.7.2: a ``control-socket`` entry
+   is put into a ``control-sockets`` list by the configuration parser.
+
+.. _d2-unix-ctrl-channel:
+
+UNIX Control Socket
+~~~~~~~~~~~~~~~~~~~
+
+Until Kea server 2.7.2 the only supported communication channel type was
+the UNIX stream socket with ``socket-type`` set to ``unix`` and
+``socket-name`` to the file path of the UNIX/LOCAL socket.
+
 The length of the path specified by the ``socket-name`` parameter is
 restricted by the maximum length for the UNIX socket name on the
 operating system, i.e. the size of the ``sun_path`` field in the
@@ -354,6 +370,89 @@ An example command may look like this:
        }
    }
 
+.. _d2-http-ctrl-channel:
+
+HTTP/HTTPS Control Socket
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``socket-type`` must be ``http`` or ``https`` (whe the type is ``https``
+TLS is required). The ``socket-address`` (default ``127.0.0.1``) and
+``socket-port`` (default 8000) specify an IP address and port to which
+the HTTP service will be bound.
+
+The ``trust-anchor``, ``cert-file``, ``key-file``, and ``cert-required``
+parameters specify the TLS setup for HTTP, i.e. HTTPS. If these parameters
+are not specified, HTTP is used. The TLS/HTTPS support in Kea is
+described in :ref:`tls`.
+
+Basic HTTP authentication protects
+against unauthorized uses of the control agent by local users. For
+protection against remote attackers, HTTPS and reverse proxy of
+:ref:`agent-secure-connection` provide stronger security.
+
+The authentication is described in the ``authentication`` block
+with the mandatory ``type`` parameter, which selects the authentication.
+Currently only the basic HTTP authentication (type basic) is supported.
+
+The ``realm`` authentication parameter (default ``kea-dhcp-ddns-server``
+is used for error messages when the basic HTTP authentication is required
+but the client is not authorized.
+
+When the ``clients`` authentication list is configured and not empty,
+basic HTTP authentication is required. Each element of the list
+specifies a user ID and a password. The user ID is mandatory, must
+be not empty, and must not contain the colon (:) character. The
+password is optional; when it is not specified an empty password
+is used.
+
+.. note::
+
+   The basic HTTP authentication user ID and password are encoded
+   in UTF-8, but the current Kea JSON syntax only supports the Latin-1
+   (i.e. 0x00..0xff) Unicode subset.
+
+To avoid exposing the user ID and/or the associated
+password, these values can be read from files. The syntax is extended by:
+
+-  The ``directory`` authentication parameter, which handles the common
+   part of file paths. The default value is the empty string.
+
+-  The ``password-file`` client parameter, which, alongside the ``directory``
+   parameter, specifies the path of a file that can contain the password,
+   or when no user ID is given, the whole basic HTTP authentication secret.
+
+-  The ``user-file`` client parameter, which, with the ``directory`` parameter,
+   specifies the path of a file where the user ID can be read.
+
+When files are used, they are read when the configuration is loaded,
+to detect configuration errors as soon as possible.
+
+::
+
+   "DhcpDdns": {
+       "control-sockets": [
+           {
+               "socket-type": "https",
+               "socket-address": "10.20.30.40",
+               "socket-port": 8005,
+               "trust-anchor": "/path/to/the/ca-cert.pem",
+               "cert-file": "/path/to/the/agent-cert.pem",
+               "key-file": "/path/to/the/agent-key.pem",
+               "cert-required": true,
+               "authentication": {
+                   "type": "basic",
+                   "realm": "kea-dhcp-ddns-server",
+                   "clients": [
+                   {
+                       "user": "admin",
+                       "password": "1234"
+                   } ]
+               }
+           }
+       ],
+       ...
+   }
+
 .. _d2-tsig-key-list-config:
 
 TSIG Key List

doc/sphinx/arm/dhcp4-srv.rst

@@ -7555,25 +7555,24 @@ Statistics can be retrieved periodically to gain more insight into Kea operation
 leverages that capability is ISC Stork. See :ref:`stork` for details.
 
 
-.. _dhcp4-ctrl-channel:
+.. _dhcp4-ctrl-channels:
 
 Management API for the DHCPv4 Server
 ====================================
 
 The management API allows the issuing of specific management commands,
 such as statistics retrieval, reconfiguration, or shutdown. For more
-details, see :ref:`ctrl-channel`. Currently, the only supported
-communication channel type is the UNIX stream socket. By default there are
-no sockets open; to instruct Kea to open a socket, the following entry
-in the configuration file can be used:
-
-::
+details, see :ref:`ctrl-channel`. By default there are no sockets
+open; to instruct Kea to open a socket, the following entry in the
+configuration file can be used: ::
 
    "Dhcp4": {
-       "control-socket": {
-           "socket-type": "unix",
-           "socket-name": "/path/to/the/unix/socket"
-       },
+       "control-socket": [
+           {
+               "socket-type": "unix",
+               "socket-name": "/path/to/the/unix/socket"
+           }
+       ],
 
        "subnet4": [
            {
@@ -7584,6 +7583,21 @@ in the configuration file can be used:
        ...
    }
 
+.. note:
+
+   For backward compatibility the ``control-socket`` keyword is still
+   recognized by Kea version newer than 2.7.2: a ``control-socket`` entry
+   is put into a ``control-sockets`` list by the configuration parser.
+
+.. _dhcp4-unix-ctrl-channel:
+
+UNIX Control Socket
+-------------------
+
+Until Kea server 2.7.2 the only supported communication channel type was
+the UNIX stream socket with ``socket-type`` set to ``unix`` and
+``socket-name`` to the file path of the UNIX/LOCAL socket.
+
 The length of the path specified by the ``socket-name`` parameter is
 restricted by the maximum length for the UNIX socket name on the administrator's
 operating system, i.e. the size of the ``sun_path`` field in the
@@ -7630,6 +7644,96 @@ following statistics-related commands:
 
 as described in :ref:`command-stats`.
 
+.. _dhcp4-http-ctrl-channel:
+
+HTTP/HTTPS Control Socket
+-------------------------
+
+The ``socket-type`` must be ``http`` or ``https`` (whe the type is ``https``
+TLS is required). The ``socket-address`` (default ``127.0.0.1``) and
+``socket-port`` (default 8000) specify an IP address and port to which
+the HTTP service will be bound.
+
+The ``trust-anchor``, ``cert-file``, ``key-file``, and ``cert-required``
+parameters specify the TLS setup for HTTP, i.e. HTTPS. If these parameters
+are not specified, HTTP is used. The TLS/HTTPS support in Kea is
+described in :ref:`tls`.
+
+Basic HTTP authentication protects
+against unauthorized uses of the control agent by local users. For
+protection against remote attackers, HTTPS and reverse proxy of
+:ref:`agent-secure-connection` provide stronger security.
+
+The authentication is described in the ``authentication`` block
+with the mandatory ``type`` parameter, which selects the authentication.
+Currently only the basic HTTP authentication (type basic) is supported.
+
+The ``realm`` authentication parameter (default ``kea-dhcpv4-server``
+is used for error messages when the basic HTTP authentication is required
+but the client is not authorized.
+
+When the ``clients`` authentication list is configured and not empty,
+basic HTTP authentication is required. Each element of the list
+specifies a user ID and a password. The user ID is mandatory, must
+be not empty, and must not contain the colon (:) character. The
+password is optional; when it is not specified an empty password
+is used.
+
+.. note::
+
+   The basic HTTP authentication user ID and password are encoded
+   in UTF-8, but the current Kea JSON syntax only supports the Latin-1
+   (i.e. 0x00..0xff) Unicode subset.
+
+To avoid exposing the user ID and/or the associated
+password, these values can be read from files. The syntax is extended by:
+
+-  The ``directory`` authentication parameter, which handles the common
+   part of file paths. The default value is the empty string.
+
+-  The ``password-file`` client parameter, which, alongside the ``directory``
+   parameter, specifies the path of a file that can contain the password,
+   or when no user ID is given, the whole basic HTTP authentication secret.
+
+-  The ``user-file`` client parameter, which, with the ``directory`` parameter,
+   specifies the path of a file where the user ID can be read.
+
+When files are used, they are read when the configuration is loaded,
+to detect configuration errors as soon as possible.
+
+::
+
+   "Dhcp4": {
+       "control-sockets": [
+           {
+               "socket-type": "https",
+               "socket-name": "10.20.30.40",
+               "socket-port": 8004,
+               "trust-anchor": "/path/to/the/ca-cert.pem",
+               "cert-file": "/path/to/the/agent-cert.pem",
+               "key-file": "/path/to/the/agent-key.pem",
+               "cert-required": true,
+               "authentication": {
+                   "type": "basic",
+                   "realm": "kea-dhcpv4-server",
+                   "clients": [
+                   {
+                       "user": "admin",
+                       "password": "1234"
+                   } ]
+               }
+           }
+       ],
+
+       "subnet4": [
+           {
+               ...
+           },
+           ...
+       ],
+       ...
+   }
+
 .. _dhcp4-user-contexts:
 
 User Contexts in IPv4