On Tue, Apr 26, 2011 at 4:10 AM, Matt Wise <[email protected]> wrote: > I'm working out some security issues here and wanted to throw something out > there... I'll be digging in tonight to see whether something like this is > possible, so I'd appreciate feedback quickly if anyone happens to know if > this is possible. Imagine a scenario where our individual hosts actually tell > the puppet server which 'config' they want. This is our environment, and its > not changeable. (The short explanation — its done this way because we > provision nodes in several clouds where hostnames are not known until after a > host has booted). For now, our nodes actually check in and say "I want XYZ > class". > > I'd like to have our nodes able to do this ONCE ... only when they generate > their CSR. After that, I'd like their 'base_class' to be embedded in the CSR > (And subsequently the CERT), so that a client cannot later change its mind > about what kind of host it is. Essentially I'm thinking the process would be > something like this: > > Client: > -) fill in 'base_class' somewhere (puppet.conf?) > -) run puppet... host generates private key, and csr, and submits it to the > puppet ca master > > Server: > -) process signs CSR and provides Cert back to host (this is automated in > our case, but not with autosign.conf) > > Client: > -) begin actual puppet run.. request real configuration > > Server: > -) read 'base_class' from certificate, and fill in $base_class with that > data .. > > > Thoughts? Any ideas on a good way to work this out?
This feels like quite a hack, but I agree with you there's no really good way for Puppet to do this today. The agent can set the environment (puppet environment) it wants, but that doesn't really give you what you want. I would normally accomplish this using a custom fact, but you mentioned this is security related so I see the desire to get the base class embedded into the certificate data. Practically speaking, the certificate cannot be forged once signed. You can easily change the certificate name in the request using: puppet agent --certname=my_base_class But! You're going to run into duplicate certificate names, which will be a pain to manage. Better instead, you could prefix each certificate name with the FQDN, or some other unique identifier and a character not valid for DNS hostnames: puppet agent --certname="$(facter fqdn)::my_base_class" You can then match against this in your puppet manifests or your External Node Classifier by splitting out the string to the right of the double colons. Hope this helps, -- Jeff McCune Professional Services, Puppet Labs @0xEFF -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
