Issue #2348 has been updated by Brice Figureau.
Nigel Kersten wrote: > http://github.com/reductivelabs/puppet/blob/c45ebfad1b5525a8297bef97c04aed9e485eff76/lib/puppet/network/authstore.rb#L280 > > That link shows the problematic method. Basically if you don't use a domain > name as your certname (we use GUIDs here) then it falls all the way through > to trying to turn it into an IP address which obviously fails. > > If someone can give me a bit more insight into what this method is supposed > to be doing, then I'm happy to do the patches, but after reading the dev list > archives for the associated patches for the auth system, I still don't quite > get it. > > Naively, I kind of feel like the logic is around the wrong way. It should > determine if the value is a dynamic/back-reference pattern or an IP first, > then I don't quite see how it matters what your certname is after that, > whether it be a domain or something else. The thing is that this code is the one that was used for namespaceauth.conf. I just leveraged this code for the REST auth system. There is no issue adding a new kind of allow/deny target for "opaque" strings, except that we will suddenly allow some things that were invalid before to become valid. I'll move the discussion to the puppet-dev list. ---------------------------------------- Bug #2348: REST auth system assumes certnames are domain names. http://projects.reductivelabs.com/issues/2348 Author: Nigel Kersten Status: Accepted Priority: Normal Assigned to: Brice Figureau Category: plumbing Target version: 0.25.0 Complexity: Unknown Affected version: 0.25.0 Keywords: http://github.com/reductivelabs/puppet/blob/c45ebfad1b5525a8297bef97c04aed9e485eff76/lib/puppet/network/authstore.rb#L280 That link shows the problematic method. Basically if you don't use a domain name as your certname (we use GUIDs here) then it falls all the way through to trying to turn it into an IP address which obviously fails. If someone can give me a bit more insight into what this method is supposed to be doing, then I'm happy to do the patches, but after reading the dev list archives for the associated patches for the auth system, I still don't quite get it. Naively, I kind of feel like the logic is around the wrong way. It should determine if the value is a dynamic/back-reference pattern or an IP first, then I don't quite see how it matters what your certname is after that, whether it be a domain or something else. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
