----- Original Message ----- > From: "Sonal Singhal" <[email protected]> > To: [email protected] > Sent: Tuesday, March 12, 2013 9:47:41 AM > Subject: [Puppet Users] Issue with Mcollective on puppet master and agent > > Hello guys, > I have installed Mcollective server on puppet agent and > Mcollective client and ActiveMQ on puppet master and they are working fine. > I m able to ping mcollective servers from mcollective client using* mco ping > *. But i have one query: > > => Since we use same username and password for stomp on each mcollcetive > client(client.cfg) and same username n password is used on mcollective > server(server.cfg), So there is no security. If we install mcollective > server on any client(on puppet agent) and use same username > password(Stomp), So we can run all mco commands from that node also. So i > want secure mechanism so that username and password should not be shared. > What can i do for it?
to achieve security you need to configure one of the mcollective security plugins - by default its using a pre shared key system which is not very secure. I'd recommend looking at the security overview doc which will give you a overview http://docs.puppetlabs.com/mcollective/security.html And then looking at deploying the following combination: * Stomp with verified TLS to activemq * The MCollective SSL security plugin[1] * Authorization plugin[2] to limit what actions users can perform * Set up auditing[3] to get logs of actions that were taken by who perhaps using logstash and our plugin[4] [1] http://docs.puppetlabs.com/mcollective/reference/plugins/security_ssl.html [2] http://docs.puppetlabs.com/mcollective/simplerpc/authorization.html [3] http://docs.puppetlabs.com/mcollective/simplerpc/auditing.html [4] https://github.com/puppetlabs/mcollective-logstash-audit#readme -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
