-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could you make this behavior a configurable option?
Safe by default and unsafe when explicitly told to be. Trevor On 10/03/2010 05:02 AM, Brice Figureau wrote: > Hi, > > When a node wants a catalog it sends the following REST uri: > > GET /environment/catalog/<node name> > > But the catalog compiler terminus (see > lib/puppet/indirector/catalog/compiler.rb) prefers to trust the given > node certname over the one in the URI. > > This means a given node can only gets its own catalog as given in the > certificate. > This is good for security, even though the default shipped auth.conf > already does about the same with: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > which only allows the sending node to ask for its own catalog. > > The issue is that this forces puppet-load to request only one catalog > for all its simulated clients, which is too bad. > > I plan to add multi-node clients to puppet-load, but for this I need > puppet to compile the catalog for the node given in the URI and not the > certname. This would allow to have only one cert for puppet-load that > allows to compile every node: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > allow puppet-load.domain.com > > Of course, this is a security issue, but I'm sure puppet-load users are > well aware of this and would do the necessary to never run this on > production masters. > > So, I guess this is an Request for Comment about changing this behavior. > Thanks, - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: [email protected] phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMqZxGAAoJECNCGV1OLcyp7ZwH/Rv9tI7AZttCmEzEd/xiZLs7 qQZpybJfT8F0w3l3f+lkIDxYqkjsfVBe5Aa+MPuy+gb38+N8DTa/D4UYv5YgldgR hFod0d8SThBtrpUcJIYaBBoLbKtR8Ztd0Ft31vuR6Bk9A7W+TwJtNfdB05tBojTo KENX5uQ59FgCenkrf67Jmt36sVvM2by+HOzN+9R4IwjXg/DZxqmbu3OaZeEVP1YW +cjC04jd6xpSSycxwAfNIVY9znuZtlHQDztYE3bfp8tTvciWllFS9qWcFwViNqxE PjgK8ampzVM7iIPK7sl7mYwwJH6Af1VtQLyNJUJiMMBhYH6j32bW8p3ECL5B6AA= =IebS -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
<<attachment: tvaughan.vcf>>
