On Fri, Jul 20, 2012 at 7:01 PM, Nick Lewis <[email protected]> wrote: > On Tuesday, July 17, 2012 3:46:21 PM UTC-7, Jo wrote: >> >> Okay, I totally did see this in the release notes but I read it that you >> weren't allowing certificates with IP addresses in them, not that you >> wouldn't allow IP authentication in auth.conf at all. >> >> Jul 17 14:52:46 sj2-puppet puppet-master[13998]: Authentication based on >> IP address is deprecated; please use certname-based rules instead >> >> I don't feel that it is reasonable to expect that every puppet customer >> match up their naming scheme to their IP blocks, nor to want to list every >> possible naming scheme in their authorization list when an IP bitmask will >> do the job much more simply. >> >> I don't mind or care about IPs in certificates--I've never seen this, and >> don't expect to. But disallowing IP-based authentication is going to be very >> difficult at many sites, and possibly allow things which were never >> intended. Please reconsider this. >> > > This is actually something of a misleading deprecation warning, I'm afraid. > The change we plan to make is to distinguish "allow" and "allow_ip", to > avoid confusing IPs and certnames. So the change you will need to make is to > explicitly use "allow_ip" if you want to do IP-based authentication. > However, adding that feature to 2.7.x, though backward compatible, turns out > to require a fairly significant rework of some of the auth code, which is a > risk we don't feel is appropriate. So the feature won't be in until 3, at > which point it will be required. > > That means we're in the awkward position of issuing a warning you can't > actually fix yet, which is *really* not something we like to do. But it > seems better to at least give some alert that you'll need to make a change > in the future than to have it suddenly occur without forewarning. So yes, > there's definitely a bit of an issue here, but I assure you we don't intend > to remove IP-based authentication entirely.
As Nick said, this wasn't something we took lightly, but I do believe we've made the right interim decision. Jo, can you provide a bit more detail about your specific use case so we can be sure we're solving it going forward? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
