Issue #19514 has been updated by Chris Spence. Assignee changed from Chris Spence to Andrew Parker Support Urls set to https://github.com/fiddyspence/puppet/commits/feature/master/19514_clientsslcert_inscope
I've gone through the code, and there are two ways of doing this, so I am polling for what you think. The server facts are merged into the node object using node.merge - this *doesn't* overwrite any client facts so it's not fit for this purpose. My proposed solution is at https://github.com/fiddyspence/puppet/commits/feature/master/19514_clientsslcert_inscope and I've submitted a pull request. This preserves the existing behaviour of merge, and adds a new method to the node object of merge! (which just blats any existing key, rather than checking for it). I have a further issue in that the existing behaviour of the merge method isn't great because it allows a node to get there first with server side data - the second solution would be to redo the merge method so that it blats the existing collection like the new merge! - I'm open to opinions as to whether that is the right thing to do, but I think it's a more invasive change. ---------------------------------------- Feature #19514: Provide validated clientcert name variable for use in manifests https://projects.puppetlabs.com/issues/19514#change-87985 * Author: Chris Spence * Status: Code Insufficient * Priority: High * Assignee: Andrew Parker * Category: node * Target version: * Affected Puppet version: * Keywords: facts clientcert node identity * Branch: ---------------------------------------- Puppet lacks a secure identifier to identify a node in manifests. Using facts ($::clientcert, $::fqdn and $::hostname) is not reliable in that the data can be trivially spoofed. There should therefore be top level scoped data that can be used in Hiera or conditionals that is guaranteed to match the CN of the cert presented which can then be safely be used to return apposite configurations to the node. That data should be generated by the puppet master process itself, not importing facts. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
