On Sunday, October 5, 2014 8:30:32 PM UTC-5, Felix Frank wrote: > > > We're now looking for feedback on whether apply should get the same > semantics, for masterless operation. > > There are three alternatives here that I can see: > > 1. Status quo - ruthlessly override whatever the ENC specifies. > 2. Flexible - use the ENC environment, but allow overriding it via --env > on the commandline > 3. Strict - always use the ENC environment (except for the overridden > :manifest) > > We might even go for a 2a, that would allow config files to override the > ENC as well (if we can easily discern such values from the defaults at > this point in the code). > > Personally, I feel that the strict behavior would be very inconvenient. > An attacker could likely circumvent the ENC after all, so the security > aspect doesn't really apply here. > > My vote is for the 2nd approach. > >
I am of two minds. Although the security argument is pretty weak in the 'apply' case, the idea that 'apply' should follow the same rules as the agent is pretty appealing to me. On the other hand, the most important question is probably "what do people want to do with the tool"? Were approach (3) selected, I would have great sympathy for hapless admins exclaiming "I know what I'm doing, damnit! Stop getting in my way!" In fact, I think I've just persuaded myself. I don't think the advantages of option (3) outweigh the value of making 'apply' the most useful tool it can be, which would require providing for convenient environment override. At the same time, I agree that 'apply' should honor the ENC-specific environment by default when there is one. That would appear to put me in the option (2) family of alternatives. I'm going to think a little more and see what others have to say before I come down on the question of (2) vs. (2a). -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/69ce1015-af3e-4767-be61-591c90599bb6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
