On Wed, Jun 15, 2011 at 7:58 AM, Luke Bigum <[email protected]> wrote:
> On Jun 15, 1:43 pm, Alexander Fortin <[email protected]> > wrote: > > I've got a doubt and I wasn't able to find documentation about, so I > > thought it was time to try out this ML too: I'd like to manage sensitive > > data like PEM certs (to manage openvpn services for instance) and I'm > > puzzled by this doubt: is it possible for a client to "steal" > > information from the master? I mean, can mynode see > > modules/mymodule/files/mysecretfile even if the node 'mynode' is not > > including that module? > > Yes, I believe you can if you know how, unless it's changed very > recently. It was discussed a while ago, and if I remember correctly, > all you need is a valid Puppet certificate to access any "Files" (ie: > puppet:///modules/$module_name/foo/bar) in any module, regardless of > if the class is included on a node or not. > > If you're afraid of that, you could pass your private key file content > across the wire using 'content' instead of 'source': > > file { "/etc/pki/woof.pem": > content => generate( [ "/bin/cat", "/etc/puppet/private/ > woof.pem" ] ), > } > > Check the correct format for generate(). That's a terrible idea if the > catalog gets written to disk anywhere. Can someone confirm? > > Only the agents who have been delivered that resource will end up with that data in their catalog. I should have mentioned this solution as well. Note too the file() function which lets you simply return the contents of a file without needing to jump through the hoop of using cat. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
