My biggest concern is that nodes can access other nodes resources stored
in
PuppetDB, which effectively means that parameters like passwords and
other
sensitive information is exposed.
If the data is not exported this shouldn't be the case ordinarily.
It actually is the case. For
Thanks Ken. It get your point and it totally makes sense.
On 15 February 2013 15:36, Ken Barber k...@puppetlabs.com wrote:
My biggest concern is that nodes can access other nodes resources
stored
in
PuppetDB, which effectively means that parameters like passwords and
other
You can specify a whitelist for which nodes are allowed to contact puppetdb
at all (and restrict it to only your puppetmaster), and then just send the
rest of the read queries through the proxy. If you only allow the /v2/nodes
/v2/facts endpoints through the proxy clients can't read for example
My biggest concern is that nodes can access other nodes resources stored in
PuppetDB, which effectively means that parameters like passwords and other
sensitive information is exposed.
If the data is not exported this shouldn't be the case ordinarily.
Obviously though if your content is
On Thursday, 14 February 2013 16:37:01 UTC, Ken Barber wrote:
My biggest concern is that nodes can access other nodes resources stored
in
PuppetDB, which effectively means that parameters like passwords and
other
sensitive information is exposed.
If the data is not exported this
Hi Nick,
My biggest concern is that nodes can access other nodes resources stored in
PuppetDB, which effectively means that parameters like passwords and other
sensitive information is exposed.
I also wonder if PuppetDB has any sense of environments? What I mean, does
it separate data in
We're still just getting familiar with PuppetDB, so at this point it's too
early to say how fine grained we need this feature to be. We've already set
up a proxy (as you recommended) and this solution suites us for now.
On Friday, October 26, 2012 8:56:26 PM UTC+2, Nick Lewis wrote:
On
On Friday, October 26, 2012 7:24:18 AM UTC-7, ak0ska wrote:
Hello,
Is it possible to control from which nodes is it allowed to execute
commands like replace catalog and replace facts, and which nodes can
only do queries (but no changes)? It seems like once someone could access
the