Brice, this does allow you to do what you want, but for some reason it breaks security. You say:
This is safe because the default auth.conf (and default inserted rules when no auth.conf is present) only allow the given connected node to compile its own catalog. However, when I tested this with the default auth.conf I was able to get catalogs other than the one for the connecting node. Not sure why. Without the patch: err: Forbidden request: localhost(127.0.0.1) access to /catalog/othernodename [find] at line 93 On Sat, Oct 16, 2010 at 7:59 AM, Brice Figureau <[email protected]> wrote: > This is a behavior change. Before this patch, we always used the currently > connected node's certname to compile the catalog, despite the value of > the catalog URI REST request. > With this patch we now use the URI as the compiled node name. > > This is safe because the default auth.conf (and default inserted rules > when no auth.conf is present) only allow the given connected node to > compile its own catalog. > > But this also allows for greater flexibility with auth.conf. For instance > it can be used by a monitoring system to check multiple nodes catalogs > with only one certificate: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > allow monitoring-station.domain.com > > Signed-off-by: Brice Figureau <[email protected]> > --- > lib/puppet/indirector/catalog/compiler.rb | 12 ++++++++---- > spec/unit/indirector/catalog/compiler_spec.rb | 17 +++++++++-------- > 2 files changed, 17 insertions(+), 12 deletions(-) > > diff --git a/lib/puppet/indirector/catalog/compiler.rb > b/lib/puppet/indirector/catalog/compiler.rb > index c50022f..6375e80 100644 > --- a/lib/puppet/indirector/catalog/compiler.rb > +++ b/lib/puppet/indirector/catalog/compiler.rb > @@ -107,10 +107,14 @@ class Puppet::Resource::Catalog::Compiler < > Puppet::Indirector::Code > return node > end > > - # If the request is authenticated, then the 'node' info will > - # be available; if not, then we use the passed-in key. We rely > - # on our authorization system to determine whether this is allowed. > - name = request.node || request.key > + # We rely on our authorization system to determine whether the connected > + # node is allowed to compile the catalog's node referenced by key. > + # By default the REST authorization system makes sure only the connected > node > + # can compile his catalog. > + # This allows for instance monitoring systems or puppet-load to check > several > + # node's catalog with only one certificate and a modification to > auth.conf > + # If no key is provided we can only compile the currently connected node. > + name = request.key || request.node > if node = find_node(name) > return node > end > diff --git a/spec/unit/indirector/catalog/compiler_spec.rb > b/spec/unit/indirector/catalog/compiler_spec.rb > index 2ae5f6f..6c950b6 100755 > --- a/spec/unit/indirector/catalog/compiler_spec.rb > +++ b/spec/unit/indirector/catalog/compiler_spec.rb > @@ -6,6 +6,7 @@ > require File.dirname(__FILE__) + '/../../../spec_helper' > > require 'puppet/indirector/catalog/compiler' > +require 'puppet/rails' > > describe Puppet::Resource::Catalog::Compiler do > before do > @@ -33,8 +34,8 @@ describe Puppet::Resource::Catalog::Compiler do > Puppet::Node.stubs(:find).with('node1').returns(node1) > Puppet::Node.stubs(:find).with('node2').returns(node2) > > - compiler.find(stub('request', :node => 'node1', :options => {})) > - compiler.find(stub('node2request', :node => 'node2', :options => {})) > + compiler.find(stub('request', :key => 'node1', :node => 'node1', > :options => {})) > + compiler.find(stub('node2request', :key => 'node2', :node => 'node2', > :options => {})) > end > > it "should provide a method for determining if the catalog is networked" > do > @@ -70,7 +71,7 @@ describe Puppet::Resource::Catalog::Compiler do > @node = Puppet::Node.new @name > @node.stubs(:merge) > Puppet::Node.stubs(:find).returns @node > - �...@request = stub 'request', :key => "does not matter", :node => > @name, :options => {} > + �...@request = stub 'request', :key => @name, :node => @name, :options > => {} > end > > it "should directly use provided nodes" do > @@ -80,14 +81,14 @@ describe Puppet::Resource::Catalog::Compiler do > @compiler.find(@request) > end > > - it "should use the request's node name if no explicit node is provided" > do > + it "should use the authenticated node name if no request key is > provided" do > + �[email protected](:key).returns(nil) > Puppet::Node.expects(:find).with(@name).returns(@node) > @compiler.expects(:compile).with(@node) > @compiler.find(@request) > end > > - it "should use the provided node name if no explicit node is provided > and no authenticated node information is available" do > - �[email protected](:node).returns nil > + it "should use the provided node name by default" do > @request.expects(:key).returns "my_node" > > Puppet::Node.expects(:find).with("my_node").returns @node > @@ -198,7 +199,7 @@ describe Puppet::Resource::Catalog::Compiler do > @compiler = Puppet::Resource::Catalog::Compiler.new > @name = "me" > @node = mock 'node' > - �...@request = stub 'request', :node => @name, :options => {} > + �...@request = stub 'request', :key => @name, :options => {} > @compiler.stubs(:compile) > end > > @@ -217,7 +218,7 @@ describe Puppet::Resource::Catalog::Compiler do > @compiler = Puppet::Resource::Catalog::Compiler.new > @name = "me" > @node = mock 'node' > - �...@request = stub 'request', :node => @name, :options => {} > + �...@request = stub 'request', :key => @name, :options => {} > @compiler.stubs(:compile) > Puppet::Node.stubs(:find).with(@name).returns(@node) > end > -- > 1.7.2.1 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
