Issue #1489 has been updated by Ken Barber.
So a workaround for this issue could be to modify your auth.conf to allow
writes from all agents, but only reads from the master & dashboard nodes. I
tested the following auth.conf snippet on my own hosts and it _seems_ to work,
but I'd love verification.
Obviously this is just a partial snippet, so don't just replace your auth.conf
with these contents, instead include them in the correct place - before /file
(at least thats how I think it works :-).
# ... snip ...
# Allow everone to save their file buckets
path /file_bucket_file
method save
allow *
# Allow dashboard & puppetmaster access
path /file_bucket_file
method find, search
allow dashboard,puppet
# Stop everyone else from restoring files
path /file_bucket_file
method find, search
auth any
# This _must_ follow the file_bucket_file entries above
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
# ... snip ...
----------------------------------------
Feature #1489: More security with remote filebuckets
https://projects.puppetlabs.com/issues/1489#change-60539
Author: Lawrence Ludwig
Status: Accepted
Priority: Low
Assignee:
Category: fileserving
Target version: Telly
Affected Puppet version: 0.24.4
Keywords: filebucket
Branch:
Right now the remote filebucket is too limiting. The biggest issue is security
with files uploaded to puppetmater's filebucket. In our case different
clients have access to different VPS instances. They should not be able to see
or get info from the puppetmaster.
If using the filebucket setup and storing files, another server/VPS could gain
access to those stored files. Meaning the files stored are not tied to the
server, so only that server can retrieve it from the filebucket
ie
node00 stores a file on the puppetmaster
<pre>
$ filebucket backup /etc/passwd --server=puppet
/etc/passwd: 429b225650b912a2ee067b0a4cf1e949
</pre>
node01 can retrieve the file if it knows the md checksum.
<pre>
$ filebucket restore /tmp/passwd 429b225650b912a2ee067b0a4cf1e949
--server=puppet
</pre>
Granted guessing md checksum is pretty hard, but I'm assuming they can get that
info from a log file.
This is BAD and the file retrieved could have sensitive information. I propose
the filebucket stores also the node the files came from and a possible option
to allow selected clients to retrieve info not matching their cert.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
