Intercept destinations vs policies attributes

4

Thank you all for your replies. To recap our architecture, I had started a thread on the subject: Help with designing/configuring desired overlay.

After upgrading to version 1.6.13, I spent a lot of time last week trying to understand the difficulties we're facing and how to resolve them. As a reminder, the main goal is to create groups. Within each group, multiple clients can access multiple servers. Each group must be isolated from the others.

I thought I had found a solution:

  • All servers in the infrastructure have the Pix attribute.
  • All clients in the infrastructure have the Terms attribute.

For each group:

  • I generate a random domain name, for example: dyvSeKuqen.
  • I create a service named 2609-dyvSeKuqen (2609 is the TCP port of the service).
  • In the intercept.v1 configuration, I specify *.dyvSeKuqen as the destination and $dst_hostname in dial options -> identity.
  • In the host.v1 configuration, I specify localhost as the destination address and enable the Bind using edge identity option.
  • I assign the servers and clients in this group an attribute named dyvSeKuqen.
  • I created a server policy named dyvSeKuqen-Bind specifying the attributes Pix and dyvSeKuqen with semantics set to allOf.
  • I created a client policy named dyvSeKuqen-Dial specifying the attributes Terms and dyvSeKuqen with semantics set to allOf.

Thus, in the application, clients only know the dyvSeKuqen domain and therefore cannot access the servers of other groups. Even if they knew another domain name, the policy rules would prevent them from accessing it.

I was very pleased with myself... :smiling_face_with_sunglasses: but it's not working. :face_with_spiral_eyes: I think there are things I'm missing, but I can't see what because my approach seems perfectly logical. Unfortunately, we're at the stage where we have to deploy our application for the first time, and we're completely stuck due to various problems that we are unable to resolve using openZiti.

I checked the logs, and here's the error message:

ERROR ziti-sdk:connect.c:1070 connect_reply_cb() conn[1.6/uIyEQfaS/Connecting](2609-dyvSeKuqen) failed to connect, reason=service AqErEuQI8ZfkKZzPTaVvt has no terminators for instanceId 93f4c47e-9a49-41a8-9169-5ae30b54ee73.dyvsekuqen

I don't know what else to say except that I would be very grateful to understand what's wrong and how to implement a stable and functional solution. Your help is greatly appreciated!