Issue #7244 has been updated by Jeff McCune.
Matt Wise wrote: > Although in my case specifically, having the token in the CSR would be nice > -- I actually think that nobody else in their right mind would use it. :) I > suggest that its not part of the CSR, but rather just something that gets > brought along in the initail auto sign request. What I'm envisioning regardless of if it's in CSR or not is the use case of: <pre> puppet agent --test --certname=$(uuidgen) --csrtoken=12345 # and puppet cert --generate --certname=$(uuidgen) --csrtoken=12345 </pre> Matt, do you still think nobody would use this if "behind the scenes" the CSR token were embedded in the CSR itself rather than along side the CSR in the API call? I think we can largely hide the implementation from the end user. > (on a side note, I have a separate ticket open asking for the ability to > throw some unique, unchangeable data into the certificate. this is for a > different purpose, and is still extremely important to me down the road. but > this has nothing to do with the initial autosign issue) Thanks for noting this, I've marked the two tickets as "related" to each other. -Jeff ---------------------------------------- Feature #7244: Autosign should allow for an external approver https://projects.puppetlabs.com/issues/7244 Author: Matt Wise Status: Needs More Information Priority: Normal Assignee: Nigel Kersten Category: Target version: 2.7.x Affected Puppet version: Keywords: Branch: Puppet should allow for the autosign code to point to an external script, instead of the autosign.conf file itself for approval in signing a end-clients cert. This method should allow the client to supply a unique bit of "auth" data that is passed to the exec script on the master, and validated. If return 0, sign the code. If not, do not sign. In this way, I can pass an arbitrary "token" (say its 12345) through the puppet agent to the puppet ca master. The puppet ca master can then run "myauthscript.sh -arg 12345". if that script returns 0, puppet c an then sign the certificate. If not, puppet fails to sign the certificate. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
