New in version 1.4.0.
Bcfg2 exposes various functions via XML-RPC calls. Some of these are relatively benign (e.g., the calls necessary to generate a client configuration) while others can be used to inspect potentially private data on the server or very easily mount a denial of service attack. As a result, access control lists to limit exposure of these calls is built in. There are two possible ACL methods: built-in, and the ACL plugin.
The built-in approach simply applies a restrictive default ACL that lets localhost perform all XML-RPC calls, and restricts all other machines to only the calls necessary to run the Bcfg2 client. Specifically:
The built-in ACL is only intended to ensure that Bcfg2 is secure by default; it will not be sufficient in many (or even most) cases. In these cases, it’s recommended that you use the ACL plugin.