On Thu, Dec 05, 2013 at 12:24:17 +0100, Lukas Zapletal wrote: > > Hi! > Hey, > > > A) uReports are collected by ABRT server deployed by the administrator. > > Upon receiving a report, the ABRT server notifies Foreman (or Foreman > > can periodically ask the ABRT server for new reports). Foreman > > communicates with ABRT server using some kind of REST API. > > We have nice Puppet based installer, so this looks like viable option to > me as we can setup another component. > > > B) uReports are collected by Foreman, or some kind of proxy written for > > I prefer A, this is solely my opinion. > > > While we could just add an item containing e.g. FQDN to the uReport, > > such information can be easily spoofed. Can we take advantage of the > > fact that there already exists authentication between the managed > > machines and Foreman (or Puppet?)? > > Someone correct me if I am wrong, but we are deploying Puppet client > certificate during provisioning phase which is being signed by Puppet CA > authority. That means each Foreman-managed machine has a client > certificate which could be re-used for other things. It should not be > a problem to use Puppet CA to validate client certificates during ABRT > upload. > > The key is to make sure ABRT server has access to the Puppet CA > certificate (and key).
I wonder if it would be possible to use these certificates without major changes to Puppet. Or, whether the benefits of having authenticated problem reports outweigh the risks of sharing the puppet certificates with another component. Thanks for the reply, Martin
