Issue #19514 has been updated by Erik Dalén.
This could probably be fixed by having Puppet::Node.merge_facts overwrite the certname fact with the real certname. I for one don't consider overwriting spoofed certnames with real certnames to be breaking backwards compatibility. ---------------------------------------- Feature #19514: Provide in scope secured and validated data for use in manifests https://projects.puppetlabs.com/issues/19514#change-84743 Author: Chris Spence Status: Needs Decision Priority: High Assignee: eric sorenson Category: node Target version: Affected Puppet version: Keywords: facts clientcert node identity Branch: Puppet lacks a secure identifier to identify a node in manifests. Using facts ($::clientcert, $::fqdn and $::hostname) is not reliable in that the data can be trivially spoofed. There should therefore be top level scoped data that can be used in Hiera or conditionals that is guaranteed to match the CN of the cert presented which can then be safely be used to return apposite configurations to the node. That data should be generated by the puppet master process itself, not importing facts. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
