I'm working out some security issues here and wanted to throw something out there... I'll be digging in tonight to see whether something like this is possible, so I'd appreciate feedback quickly if anyone happens to know if this is possible. Imagine a scenario where our individual hosts actually tell the puppet server which 'config' they want. This is our environment, and its not changeable. (The short explanation — its done this way because we provision nodes in several clouds where hostnames are not known until after a host has booted). For now, our nodes actually check in and say "I want XYZ class".
I'd like to have our nodes able to do this ONCE ... only when they generate their CSR. After that, I'd like their 'base_class' to be embedded in the CSR (And subsequently the CERT), so that a client cannot later change its mind about what kind of host it is. Essentially I'm thinking the process would be something like this: Client: -) fill in 'base_class' somewhere (puppet.conf?) -) run puppet... host generates private key, and csr, and submits it to the puppet ca master Server: -) process signs CSR and provides Cert back to host (this is automated in our case, but not with autosign.conf) Client: -) begin actual puppet run.. request real configuration Server: -) read 'base_class' from certificate, and fill in $base_class with that data .. Thoughts? Any ideas on a good way to work this out? (my alternative method is going to involve a back-end Amazon SimpleDB script that dumps a nodes base_class into the database the first time ti runs, and then forever-after pulls from SimpleDB to fill in the base_class variable. I dont like this though, as its slow and it adds another service dependency.) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
