Issue #19514 has been updated by Nick Fagerlund.
Andy or Eric reminded me about this this morning!
ONE: I like `trusted['nodename']`! This is a good solution. We need to make
sure Hiera can interpolate hash members, though, since that's a major use case.
TWO: First two members of the hash should be nodename and certname.
I want to make sure this context is in the ticket: When an agent makes a
catalog request, it presents three deathly hallows (lol) that make up
everything the puppet master knows about the node:
- The certificate ("certname")
- The URL of the catalog it's requesting ("node name")
- A hash of facts
Right now we expose only the facts to the parser, and one fact happens to mimic
the certname. We should present all three.
Although node name (the final segment of the requested catalog URL) isn't
necessarily crypto-verified, it's appropriate to put it in the `trusted` hash,
because the user has explicitly decided to trust these requests by changing the
auth.conf rules.
OH, and come to think of it, there's a fourth piece of known info: the IP
address from which the request originated. Dunno if there's a use for that.
----------------------------------------
Feature #19514: Provide validated clientcert name variable for use in manifests
https://projects.puppetlabs.com/issues/19514#change-89126
* Author: Chris Spence
* Status: Code Insufficient
* Priority: High
* Assignee: Andrew Parker
* Category: node
* Target version:
* Affected Puppet version:
* Keywords: facts clientcert node identity customer
* Branch:
----------------------------------------
Puppet lacks a secure identifier to identify a node in manifests. Using facts
($::clientcert, $::fqdn and $::hostname) is not reliable in that the data can
be trivially spoofed. There should therefore be top level scoped data that can
be used in Hiera or conditionals that is guaranteed to match the CN of the cert
presented which can then be safely be used to return apposite configurations to
the node. That data should be generated by the puppet master process itself,
not importing facts.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
