Issue #7705 has been updated by Jeff McCune. Status changed from Merged - Pending Release to Accepted Assignee deleted (eric sorenson) Target version deleted (3.0.0)
# Redesign As Patrick mentioned, this ticket is an "umbrella" ticket that describes the need to re-design our authentication system. The commits and merges related to this ticker probably should have been related to some other, more specific ticket. Let's keep this ticket open and accepted and targeting a future version of Puppet with the intent of improving the user facing design of the authorization system. ---------------------------------------- Bug #7705: Overhauling authorization system internals and interface https://projects.puppetlabs.com/issues/7705#change-72607 Author: Nick Fagerlund Status: Accepted Priority: Normal Assignee: Category: security Target version: Affected Puppet version: Keywords: telly_deprecation Branch: https://github.com/puppetlabs/puppet/pull/991 When I've gone to document auth.conf, fileserver.conf, and now autosign.conf, I've run into the same pattern: I interview and get a consensus for how everyone thinks it works, I test it, and it turns out to work a: very differently, and b: non-optimally. (For example, autosign.conf is effectively useless if you're using certnames that don't look exactly like FQDNs.) I'm guessing I'd find something similar if I had any intention of ever documenting namespaceauth.conf. Anyway, I now believe that the authorization code, especially the constellation of stuff surrounding and using Puppet::Network::AuthStore, is badly overcomplicated and at least partly misconceived. Issues stemming from this include the total lack of globbing or patterning in auth.conf (#5777 and #5966), auth.conf being useless for certain valid certnames (#7014, #7589) and otherwise basically assuming certname = DNS name, file parsing errors (#5010), behavior that appears based on misconceptions about how the system works (#7057), and more. This issue is a little nebulous, but I believe we need to figure out where it's necessary to specifically allow nodes to do things, design a flexible and simple underlying representation of these rights, and unify the way we express those rights in config files. (Obviously this can't happen until Telly, at the earliest.) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
