On 05/10/10 15:35, Luke Kanies wrote: > On Oct 3, 2010, at 2:02 AM, Brice Figureau wrote: > >> Hi, >> >> When a node wants a catalog it sends the following REST uri: >> >> GET /environment/catalog/<node name> >> >> But the catalog compiler terminus (see >> lib/puppet/indirector/catalog/compiler.rb) prefers to trust the given >> node certname over the one in the URI. >> >> This means a given node can only gets its own catalog as given in the >> certificate. >> This is good for security, even though the default shipped auth.conf >> already does about the same with: >> >> path ~ ^/catalog/([^/]+)$ >> method find >> allow $1 >> >> which only allows the sending node to ask for its own catalog. >> >> The issue is that this forces puppet-load to request only one catalog >> for all its simulated clients, which is too bad. >> >> I plan to add multi-node clients to puppet-load, but for this I need >> puppet to compile the catalog for the node given in the URI and not the >> certname. This would allow to have only one cert for puppet-load that >> allows to compile every node: >> >> path ~ ^/catalog/([^/]+)$ >> method find >> allow $1 >> allow puppet-load.domain.com >> >> Of course, this is a security issue, but I'm sure puppet-load users are >> well aware of this and would do the necessary to never run this on >> production masters. >> >> So, I guess this is an Request for Comment about changing this behavior. > > I think this is a good idea. As you say, it should be an authorization > issue, > not a code or configuration issue, and auth.conf already handles that effectively. > > Before you submit a patch for it, can you confirm that the default auth.conf > configuration does not allow a host to request someone else's catalog? > I know it's not supposed to, but it'd be nice to get some manaul validation as part of the patch.
Yes, both the default shipped auth.conf and the default rule we insert if there is none are correctly secured. -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
