On Apr 19, 2011, at 2:06 PM, Daniel Pittman wrote: > On Tue, Apr 19, 2011 at 12:52, Nigel Kersten <[email protected]> wrote: > >> If you add a rule like this to puppet 2.7.0rc1 in auth.conf >> >> path ~ ^/node/([^/]+)$ >> method find >> allow $1 >> >> then nodes are able to find their own node definitions from the master >> like this: >> >> $ puppet node find <certname> --terminus rest --server <servername> >> >> This is really useful, as it allows you to do things from the node >> like find out what environment/classes/parameters an ENC is going to >> define for you. This would allow us to modify the configurer face to >> work out what environment you are going to be assigned before you do >> any pluginsync. >> >> Question: Is this an appropriate default ACL to put in place? Are >> there negative implications? > > > I can't identify any: there is a theoretical minor information leak, > in that nodes can now see the input variables that the ENC sets, not > just the outcome of compiling a catalog with them, but that seems ... > unlikely to actually present any security or information risk that > wasn't already present.
Seems like a good move to me. -- The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. --Nathaniel Borenstein --------------------------------------------------------------------- Luke Kanies -|- http://puppetlabs.com -|- http://about.me/lak -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
