hi all, Le lundi 1 juillet 2013 19:06:07 UTC+2, Dustin J. Mitchell a écrit : > > On Mon, Jul 1, 2013 at 12:58 PM, Andy Parker > <[email protected]<javascript:>> > wrote: > > I would be very concerned if the security system of puppet were based on > > untrusted information from the agent. Unless we have a bug in this > system, > > which we don't as far as I know, then the security is all based on the > CN of > > the certificate subject. Now, you can write your manifests to rely on a > > fact, which cannot be trusted and that could be a problem. Short of > signing > > all facts (which I'm not sure how to do in the face of a fact value > > changing) facts cannot be trusted. There are some that have been > floating > > around at Puppet Labs around getting trusted data into the manifests via > the > > certificate. > > > > So the short is: we should be using certificate information for > security. > > This is untrusted data in manifests and so care must still be taken. > > The config parameter in question is node_name. Its default is 'cert', > which uses the DN from the certificate as you say. The other option > is 'fact'. I seem to recall the default being 'fact' in much older > versions, but that recollection may be incorrect. At any rate, if > you're worried, set this parameter explicitly, and of course disable > autosigning. We also include a check in the manifests that $fqdn = > $clientcert, so that a host with a valid, trusted cert cannot falsify > its $fqdn and thereby fool conditionals based on $fqdn. > > Dustin >
I haven't looked at the actual code but if i remember correctly, the issue had to do with how resources get exported to the puppetdb and how verifications gets done: an agent x.com, with a certificate signed by the same CA as y.com, but with a certname fact = y.com, could impersonate the former server's resources on the puppetdb. I can not tell whether this is true or not, i only know what you guys tell us. We have indeed noticed a significant improvement on performance! and thats really great! @Brice, having a last generation multicore xeon server with several gigs of ram, and still having issues when multiple agents connect at the same time...... à voir.. so lets just say that escalation in this case is a little expensive ;) In any case, i just wanted to share with you my view on that matter. keep up the good work! evelio -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
