Issue #19514 has been updated by Henrik Lindberg.
Status changed from Merged - Pending Release to Code Insufficient
Target version deleted (3.4.0)
Chris Spence wrote:
> One further comment I have on this approach is about where it touches hiera.
> We don't currently interpolate hashes in hiera.yaml (or at least my testing
> didn't make this work):
>
> :hierarchy:
> - %{trusted['clientcert']}
>
> So the user needs to munge
>
> $trusted['clientcert'] to ${avariablenameofyourchoice} and then use that in
> the hierarchy
The idea is to add it the same way as the `hiera` and `scope` functions - i.e.
`%{trusted('clientcert')}'. I have that working in a branch, but it is not
targeted for the 1.3 hiera release.
----------------------------------------
Feature #19514: Provide validated clientcert name variable for use in manifests
https://projects.puppetlabs.com/issues/19514#change-99309
* Author: Chris Spence
* Status: Code Insufficient
* Priority: High
* Assignee: Andrew Parker
* Category: node
* Target version:
* Affected Puppet version:
* Keywords: facts clientcert node identity
* Branch: https://github.com/puppetlabs/puppet/pull/1991
----------------------------------------
Puppet lacks a secure identifier to identify a node in manifests. Using facts
($::clientcert, $::fqdn and $::hostname) is not reliable in that the data can
be trivially spoofed. There should therefore be top level scoped data that can
be used in Hiera or conditionals that is guaranteed to match the CN of the cert
presented which can then be safely be used to return apposite configurations to
the node. That data should be generated by the puppet master process itself,
not importing facts.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
