On Oct 3, 2010, at 2:02 AM, Brice Figureau wrote: > Hi, > > When a node wants a catalog it sends the following REST uri: > > GET /environment/catalog/<node name> > > But the catalog compiler terminus (see > lib/puppet/indirector/catalog/compiler.rb) prefers to trust the given > node certname over the one in the URI. > > This means a given node can only gets its own catalog as given in the > certificate. > This is good for security, even though the default shipped auth.conf > already does about the same with: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > which only allows the sending node to ask for its own catalog. > > The issue is that this forces puppet-load to request only one catalog > for all its simulated clients, which is too bad. > > I plan to add multi-node clients to puppet-load, but for this I need > puppet to compile the catalog for the node given in the URI and not the > certname. This would allow to have only one cert for puppet-load that > allows to compile every node: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > allow puppet-load.domain.com > > Of course, this is a security issue, but I'm sure puppet-load users are > well aware of this and would do the necessary to never run this on > production masters. > > So, I guess this is an Request for Comment about changing this behavior.
I think this is a good idea. As you say, it should be an authorization issue, not a code or configuration issue, and auth.conf already handles that effectively. Before you submit a patch for it, can you confirm that the default auth.conf configuration does not allow a host to request someone else's catalog? I know it's not supposed to, but it'd be nice to get some manaul validation as part of the patch. Thanks, Luke -- Those who speak most of progress measure it by quantity and not by quality. --George Santayana --------------------------------------------------------------------- Luke Kanies -|- http://puppetlabs.com -|- +1(615)594-8199 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
