On 10/4/2010 11:20 AM, Trevor Vaughan wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Could you make this behavior a configurable option?
Safe by default and unsafe when explicitly told to be.
IIUIC the code does only replicate the default settings in auth. Thus
removing the extra check in the code would still leave the default
protection in the auth.conf, but would enable Brice to remove it for his
load testing.
Brice, please correct me if I misunderstood the situation.
Best Regards, David
Trevor
On 10/03/2010 05:02 AM, Brice Figureau wrote:
Hi,
When a node wants a catalog it sends the following REST uri:
GET /environment/catalog/<node name>
But the catalog compiler terminus (see
lib/puppet/indirector/catalog/compiler.rb) prefers to trust the given
node certname over the one in the URI.
This means a given node can only gets its own catalog as given in the
certificate.
This is good for security, even though the default shipped auth.conf
already does about the same with:
path ~ ^/catalog/([^/]+)$
method find
allow $1
which only allows the sending node to ask for its own catalog.
The issue is that this forces puppet-load to request only one catalog
for all its simulated clients, which is too bad.
I plan to add multi-node clients to puppet-load, but for this I need
puppet to compile the catalog for the node given in the URI and not the
certname. This would allow to have only one cert for puppet-load that
allows to compile every node:
path ~ ^/catalog/([^/]+)$
method find
allow $1
allow puppet-load.domain.com
Of course, this is a security issue, but I'm sure puppet-load users are
well aware of this and would do the necessary to never run this on
production masters.
So, I guess this is an Request for Comment about changing this behavior.
Thanks,
- --
Trevor Vaughan
Vice President, Onyx Point, Inc.
email: [email protected]
phone: 410-541-ONYX (6699)
pgp: 0x6C701E94
- -- This account not approved for unencrypted sensitive information --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJMqZxGAAoJECNCGV1OLcyp7ZwH/Rv9tI7AZttCmEzEd/xiZLs7
qQZpybJfT8F0w3l3f+lkIDxYqkjsfVBe5Aa+MPuy+gb38+N8DTa/D4UYv5YgldgR
hFod0d8SThBtrpUcJIYaBBoLbKtR8Ztd0Ft31vuR6Bk9A7W+TwJtNfdB05tBojTo
KENX5uQ59FgCenkrf67Jmt36sVvM2by+HOzN+9R4IwjXg/DZxqmbu3OaZeEVP1YW
+cjC04jd6xpSSycxwAfNIVY9znuZtlHQDztYE3bfp8tTvciWllFS9qWcFwViNqxE
PjgK8ampzVM7iIPK7sl7mYwwJH6Af1VtQLyNJUJiMMBhYH6j32bW8p3ECL5B6AA=
=IebS
-----END PGP SIGNATURE-----
--
dasz.at OG Tel: +43 (0)664 2602670 Web: http://dasz.at
Klosterneuburg UID: ATU64260999
FB-Nr.: FN 309285 g FB-Gericht: LG Korneuburg
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
