On Friday, October 26, 2012 7:24:18 AM UTC-7, ak0ska wrote: > Hello, > > Is it possible to control from which nodes is it allowed to execute > commands like "replace catalog" and "replace facts", and which nodes can > only do queries (but no changes)? It seems like once someone could access > the service through http or https (depending on jetty.ini settings) can do > both. > > Unfortunately, this isn't currently possible, though it's certainly something we'd like to provide in the future. Currently the only restriction that can be made is a whitelist of certnames which are allowed to talk to the API, for both read and write alike.
Until this is supported by PuppetDB itself, you could use a proxy to allow only certain routes. If we were to add this feature, would it be sufficient to just have "no access", "read access", and "read/write access" as categories, or would you need something more granular than that (for instance, can query metrics but not facts)? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/6rioj916zpAJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
