Hello colleagues,
For those, who would like to have in policies access protection by IP (usable for example for services which should be accessed from internal network interface, in a gateway cluster), and the solution has to be maintained for flexibility by cluster wide properties (uc: change of ips of internal nics, addition of new node to cluster etc..).
REQUIREMENT:
- "allow" logic
- easy maintenance
- portable between environments
Things to consider:
- when ip comparison fails in "allow access to IP" assertion -> result is fail
- if you have list of ips (multivariable), access to IP assertion cannot use the list position format of variable (aka "${listofIps[0]})
- when you run allow access assertion in the "run assertion for each Item of", if the first ip in the list does not match, whole assertion fails
Solution:
to make successful comparison of several specific ips, there is needed to prepare the policy logic for the fails and success, with the help of additional variables, comparison and if/else logic.
For example purpose, there is used hardcoded variable with multiple ips - that can be easily changed to the use of cluster wide property.
(Note: for comparison of IPs, you can use "compare" assertion or "allow access" assertion, would be good to check which one is better for performance.)
Below is picture of example policy for allowing access to dynamic list of IPs ):
Hope it helps someone :-)