We're still just getting familiar with PuppetDB, so at this point it's too early to say how fine grained we need this feature to be. We've already set up a proxy (as you recommended) and this solution suites us for now.
On Friday, October 26, 2012 8:56:26 PM UTC+2, Nick Lewis wrote: > > On Friday, October 26, 2012 7:24:18 AM UTC-7, ak0ska wrote: > >> Hello, >> >> Is it possible to control from which nodes is it allowed to execute >> commands like "replace catalog" and "replace facts", and which nodes can >> only do queries (but no changes)? It seems like once someone could access >> the service through http or https (depending on jetty.ini settings) can do >> both. >> >> > Unfortunately, this isn't currently possible, though it's certainly > something we'd like to provide in the future. Currently the only > restriction that can be made is a whitelist of certnames which are allowed > to talk to the API, for both read and write alike. > > Until this is supported by PuppetDB itself, you could use a proxy to allow > only certain routes. > > If we were to add this feature, would it be sufficient to just have "no > access", "read access", and "read/write access" as categories, or would you > need something more granular than that (for instance, can query metrics but > not facts)? > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/qXDt2-87I4kJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
