Hi Matt, On Mon, 2010-10-25 at 16:25 -0700, Matt Robinson wrote: > Brice, this does allow you to do what you want, but for some reason it > breaks security. You say: > > This is safe because the default auth.conf (and default inserted rules > when no auth.conf is present) only allow the given connected node to > compile its own catalog. > > However, when I tested this with the default auth.conf I was able to > get catalogs other than the one for the connecting node. Not sure > why. Without the patch: > > err: Forbidden request: localhost(127.0.0.1) access to > /catalog/othernodename [find] at line 93
This is strange because this authorization check is done way before the catalog compilation terminus is involved (where my modification is). Something I don't get is your above error message: * it says your node is _not_ authenticated, why is that? * it gives the default deny catch all as the rule that triggered When I'm trying with the default auth.conf on my branch, here's what I get (this is with puppet-load, but that shouldn't matter): err: Forbidden request: puppet-load.domain.com(127.0.1.1) access to /catalog/corp.domain.com [find] authenticated at line 52 You can see that my node was authenticated, and that the catalog acl rule triggered. So I did a manual test (ie openssl s_client) pretending to be unauthenticated and was still not able to access any catalogs (with default auth.conf or without). Then I tried being authenticated, requesting a catalog for a different node and wasn't able to get one either (with the default auth.conf or without). How did you perform your tests? Was it with a real puppetd (in which case how did you instruct it to require a catalog for another host)? Can you describe your test setup? All my tests were done with a nginx+mongrel setup, and repeated under webrick. -- Brice Figureau Follow the latest Puppet Community evolutions on www.planetpuppet.org! -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
