This document summarizes current security controls, intended operating model, and known boundaries.
- Keep Prism Element, Prism Central, and Move interactions read-only.
- Prevent accidental API surface expansion by future tool changes.
- Reduce abuse risk from high-rate or high-concurrency tool execution.
- Keep credentials in OS keyring storage only.
The client layer enforces centralized request policy for:
- Allowed endpoint families for Prism Element, Prism Central, and Move APIs.
- Allowed query parameter keys by API family.
- Rejection of malformed paths with query fragments embedded in path strings.
Any request outside policy is rejected before network I/O.
All client helpers issue GET requests only and policy is built for read-only query patterns.
Why this matters:
- Prevents broadening into action-style endpoints through generic HTTP helpers.
Client errors expose only high-level HTTP status details and avoid returning raw response bodies.
Why this matters:
- Reduces leakage of internal infrastructure details into MCP tool output.
Credential lookup now uses OS keyring data only.
- Removed environment variable credential fallback.
- Added basic validation for stored values.
Why this matters:
- Reduces accidental credential injection/exposure through process environment.
Every MCP tool is wrapped with a guard that enforces a maximum number of concurrent executions.
Why this matters:
- Limits accidental overload and reduces abuse potential.
Every MCP tool is rate-limited using a one-minute window.
Why this matters:
- Limits rapid prompt-loop enumeration and excessive API pressure.
HTTP timeout is bound by active tool policy and cannot exceed configured limits.
Why this matters:
- Prevents long-running requests from monopolizing runtime capacity.
A validated security config object is loaded once during startup.
Supported environment controls:
- NUTANIX_MCP_REQUEST_TIMEOUT_SECONDS
- NUTANIX_MCP_TOOL_CONCURRENCY_LIMIT
- NUTANIX_MCP_RATE_LIMIT_PER_MINUTE
- NUTANIX_MCP_TOOL_POLICY_OVERRIDES (JSON object keyed by tool name)
Why this matters:
- Misconfiguration fails fast at startup.
- Runtime behavior remains centralized and deterministic.
verify_ssl remains configurable per credential entry because many enterprise Nutanix environments use private CA or self-signed certificates.
- verify_ssl=true gives strongest MITM protection and server identity verification.
- verify_ssl=false improves compatibility in environments that are not PKI-ready.
Security caution:
- Using verify_ssl=false reduces transport authenticity guarantees and should be treated as explicit risk acceptance.
- Prefer trusted internal CA deployment whenever feasible.
The MCP server process must read keyring credentials to authenticate to Nutanix endpoints. During execution, credentials exist in process memory.
Important boundary:
- Preventing all host-level secret access is outside application scope.
- Any principal able to run arbitrary local commands as the same OS user may still access local secrets.
Operational recommendation:
- Run nutanix-mcp under a least-privilege user context on a trusted workstation or jump host.
- Rate limits and concurrency caps reduce risk but are not a complete anti-abuse system.
- This hardening step does not add SIEM/audit logging pipelines.
- Endpoint allowlists are intentionally strict and may require updates when adding new tools.
- Use read-only service accounts with minimum required Nutanix RBAC.
- Limit network reachability from MCP host to approved Prism/Move endpoints only.
- Tune tool policy overrides conservatively in shared environments.
- Periodically review inventory entries and remove stale endpoints.
This is a community-maintained project and not an official Nutanix product. Operators remain responsible for validating controls against internal policy and compliance requirements.