Brice, Thanks for your contribution. Matt Robinson and I looked your patch over, and have a few comments. I like the idea, and the code is reasonable, but we'd like to see another example auth plugin, using this new system. Without that, it's hard to design a suitable authentication API.
Additionally, we spent about an hour trying to implement a "none" authentication type, and ran into several problems. We weren't sure which methods we needed to implement, so we just copied what the SSL system implemented and adjusted them to suit our needs. We'd like to spend more time figuring out how to make this work, but it's not a high priority right now. It would be nice to have a simple alternate authentication system (even a "none" system like we tried to write) which would help motivate these changes. That would also help figure out the API, since other authentication systems may not necessarily have the same logical setup steps that SSL does. Nick Lewis On Sat, Nov 20, 2010 at 8:58 AM, Brice Figureau < [email protected]> wrote: > Hi, > > I'm proposing here an experimental refactoring that aims to bring > a plugin system for authenticating puppet master and agent. > > For the moment, I just extracted the SSL bits of the master, the > agent, the network http client, and the various web server we support. > It is very rough and experimental. For instance I didn't test mongrel > nor rack. It's not yet clear for the moment how people can add their own > auth plugin (beside dropping the files in the correct folders). > > The chosen auth plugin used is controlled by the $auth puppet settings > which defaults to "ssl" of course. > > I didn't implement any new authentication system, but adding more > (especially > the 'no security' one) should be relatively easy. As I said > elsewhere/before, > I won't provide myself the "no security" plugin. > > I see more this work as the fundations on which some other people will > implement newer system like kerberos or Radius (which BTW might need more > hooks in the system). > > Please review, comments and propose changes, both on the ruby side > and on the feature set. > > The full patchset is available in my github repository: > https://github.com/masterzen/puppet/tree/feature/master/3958 > > Thanks! > Brice > > Brice Figureau (8): > Pluggable authentication system > Refactor ssl part of the agent and client http setup > Refactor master SSL setup to the ssl auth plugin > Inject the correct network handler auth plugin > Move resolve_node to Puppet::Auth::Handler > Convert webrick network handler to the plugable auth system > Convert the mongrel rest handler to the plugable auth system > Convert the rack rest handler to the plugable auth system. > > lib/puppet/application/agent.rb | 12 +-- > lib/puppet/application/master.rb | 19 +--- > lib/puppet/auth.rb | 53 ++++++++++ > lib/puppet/auth/client.rb | 3 + > lib/puppet/auth/client/ssl.rb | 36 +++++++ > lib/puppet/auth/handler.rb | 19 ++++ > lib/puppet/auth/handler/mongrel/ssl.rb | 17 +++ > lib/puppet/auth/handler/rack/ssl.rb | 18 ++++ > lib/puppet/auth/handler/webrick/ssl.rb | 39 +++++++ > lib/puppet/auth/server.rb | 3 + > lib/puppet/auth/server/ssl.rb | 23 ++++ > lib/puppet/defaults.rb | 1 + > lib/puppet/network/http/handler.rb | 12 -- > lib/puppet/network/http/mongrel/rest.rb | 13 +-- > lib/puppet/network/http/rack/rest.rb | 12 +-- > lib/puppet/network/http/webrick.rb | 26 +----- > lib/puppet/network/http/webrick/rest.rb | 9 +-- > lib/puppet/network/http_pool.rb | 19 +--- > spec/unit/application/agent_spec.rb | 53 +--------- > spec/unit/application/master_spec.rb | 63 ++---------- > spec/unit/auth/client/ssl_spec.rb | 146 > +++++++++++++++++++++++++++ > spec/unit/auth/handler/mongrel/ssl_spec.rb | 57 +++++++++++ > spec/unit/auth/handler/rack/ssl_spec.rb | 70 +++++++++++++ > spec/unit/auth/handler/webrick/ssl_spec.rb | 107 ++++++++++++++++++++ > spec/unit/auth/handler_spec.rb | 54 ++++++++++ > spec/unit/auth/server/ssl_spec.rb | 73 +++++++++++++ > spec/unit/auth_spec.rb | 83 +++++++++++++++ > spec/unit/network/http/handler_spec.rb | 20 ---- > spec/unit/network/http/mongrel/rest_spec.rb | 56 ++--------- > spec/unit/network/http/rack/rest_spec.rb | 65 ++---------- > spec/unit/network/http/webrick/rest_spec.rb | 34 +++---- > spec/unit/network/http/webrick_spec.rb | 75 ++------------ > spec/unit/network/http_pool_spec.rb | 95 +---------------- > 33 files changed, 876 insertions(+), 509 deletions(-) > create mode 100644 lib/puppet/auth.rb > create mode 100644 lib/puppet/auth/client.rb > create mode 100644 lib/puppet/auth/client/ssl.rb > create mode 100644 lib/puppet/auth/handler.rb > create mode 100644 lib/puppet/auth/handler/mongrel/ssl.rb > create mode 100644 lib/puppet/auth/handler/rack/ssl.rb > create mode 100644 lib/puppet/auth/handler/webrick/ssl.rb > create mode 100644 lib/puppet/auth/server.rb > create mode 100644 lib/puppet/auth/server/ssl.rb > create mode 100644 spec/unit/auth/client/ssl_spec.rb > create mode 100644 spec/unit/auth/handler/mongrel/ssl_spec.rb > create mode 100644 spec/unit/auth/handler/rack/ssl_spec.rb > create mode 100644 spec/unit/auth/handler/webrick/ssl_spec.rb > create mode 100644 spec/unit/auth/handler_spec.rb > create mode 100644 spec/unit/auth/server/ssl_spec.rb > create mode 100644 spec/unit/auth_spec.rb > > -- > 1.7.2.1 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-dev%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
