Brice +1 on this idea as it helps with another use case I have: i'd like my monitoring server to be able to request catalogs for clients other than itself. This would help make sure that we're not failing catalog compilation for classes that might not be included in the monitoring server's node definition.
On Oct 3, 2010, at 2:02 AM, Brice Figureau wrote: > Hi, > > When a node wants a catalog it sends the following REST uri: > > GET /environment/catalog/<node name> > > But the catalog compiler terminus (see > lib/puppet/indirector/catalog/compiler.rb) prefers to trust the given > node certname over the one in the URI. > > This means a given node can only gets its own catalog as given in the > certificate. > This is good for security, even though the default shipped auth.conf > already does about the same with: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > which only allows the sending node to ask for its own catalog. > > The issue is that this forces puppet-load to request only one catalog > for all its simulated clients, which is too bad. > > I plan to add multi-node clients to puppet-load, but for this I need > puppet to compile the catalog for the node given in the URI and not the > certname. This would allow to have only one cert for puppet-load that > allows to compile every node: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > allow puppet-load.domain.com > > Of course, this is a security issue, but I'm sure puppet-load users are > well aware of this and would do the necessary to never run this on > production masters. > > So, I guess this is an Request for Comment about changing this behavior. > Thanks, > -- > Brice Figureau > My Blog: http://www.masterzen.fr/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
