Issue #5020 has been updated by Matt Robinson. Status changed from Code Insufficient to Ready for Checkin
Looks like I messed up testing the #5020 patch because the helper script I was using to start the puppetmaster was copying an overly permissive auth.conf in. This was a relic of when I was documenting the REST API and wanted to not have to worry about security rules. I was testing the 2.6.x branch without this auth.conf on a different machine, so that's why it looked like your branch introduced the permission problem. So +1 to this patch. On Tue, Oct 26, 2010 at 3:13 AM, Brice Figureau <[email protected]> wrote: > This is strange because this authorization check is done way before the > catalog compilation terminus is involved (where my modification is). This is confused me too. I should've followed code to see how it could have gotten by the early authorization. > How did you perform your tests? Using curl to do the requests Using a script to start the puppetmaster (this is where my problem was) ---------------------------------------- Bug #5020: Prefer URI over certname when compiling node catalog https://projects.puppetlabs.com/issues/5020 Author: Brice Figureau Status: Ready for Checkin Priority: Normal Assignee: Brice Figureau Category: compiler Target version: 2.6.x Affected Puppet version: 2.6.2 Keywords: communitypatch Branch: http://github.com/masterzen/puppet/tree/tickets/2.6.x/5020 As discussed here: http://groups.google.com/group/puppet-dev/browse_thread/thread/45e287d5a0fb8585/e60645baa81b1a96 Since auth.conf (and default inserted rules when no auth.conf exists) provide enough security, it would be great to use the provided compiling URI key as the node name to compile, instead of using the provided SSL certname. It would allow monitoring or puppet-load to simulate any client with only one certificate by changing auth.conf: <pre> path ~ ^/catalog/([^/]+)$ method find allow $1 allow puppet-load.domain.com allow monitoring.domain.com </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
