Hi, When a node wants a catalog it sends the following REST uri:
GET /environment/catalog/<node name> But the catalog compiler terminus (see lib/puppet/indirector/catalog/compiler.rb) prefers to trust the given node certname over the one in the URI. This means a given node can only gets its own catalog as given in the certificate. This is good for security, even though the default shipped auth.conf already does about the same with: path ~ ^/catalog/([^/]+)$ method find allow $1 which only allows the sending node to ask for its own catalog. The issue is that this forces puppet-load to request only one catalog for all its simulated clients, which is too bad. I plan to add multi-node clients to puppet-load, but for this I need puppet to compile the catalog for the node given in the URI and not the certname. This would allow to have only one cert for puppet-load that allows to compile every node: path ~ ^/catalog/([^/]+)$ method find allow $1 allow puppet-load.domain.com Of course, this is a security issue, but I'm sure puppet-load users are well aware of this and would do the necessary to never run this on production masters. So, I guess this is an Request for Comment about changing this behavior. Thanks, -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
