Re: [Puppet Users] Re: PuppetDB API permissions

2013-02-15 Thread Ken Barber
My biggest concern is that nodes can access other nodes resources stored in PuppetDB, which effectively means that parameters like passwords and other sensitive information is exposed. If the data is not exported this shouldn't be the case ordinarily. It actually is the case. For

Re: [Puppet Users] Re: PuppetDB API permissions

2013-02-15 Thread Vaidas Jablonskis
Thanks Ken. It get your point and it totally makes sense. On 15 February 2013 15:36, Ken Barber k...@puppetlabs.com wrote: My biggest concern is that nodes can access other nodes resources stored in PuppetDB, which effectively means that parameters like passwords and other

Re: [Puppet Users] Re: PuppetDB API permissions

2013-02-14 Thread Erik Dalén
You can specify a whitelist for which nodes are allowed to contact puppetdb at all (and restrict it to only your puppetmaster), and then just send the rest of the read queries through the proxy. If you only allow the /v2/nodes /v2/facts endpoints through the proxy clients can't read for example

Re: [Puppet Users] Re: PuppetDB API permissions

2013-02-14 Thread Ken Barber
My biggest concern is that nodes can access other nodes resources stored in PuppetDB, which effectively means that parameters like passwords and other sensitive information is exposed. If the data is not exported this shouldn't be the case ordinarily. Obviously though if your content is

Re: [Puppet Users] Re: PuppetDB API permissions

2013-02-14 Thread Vaidas Jablonskis
On Thursday, 14 February 2013 16:37:01 UTC, Ken Barber wrote: My biggest concern is that nodes can access other nodes resources stored in PuppetDB, which effectively means that parameters like passwords and other sensitive information is exposed. If the data is not exported this

[Puppet Users] Re: PuppetDB API permissions

2013-02-13 Thread Vaidas Jablonskis
Hi Nick, My biggest concern is that nodes can access other nodes resources stored in PuppetDB, which effectively means that parameters like passwords and other sensitive information is exposed. I also wonder if PuppetDB has any sense of environments? What I mean, does it separate data in

[Puppet Users] Re: PuppetDB API permissions

2012-11-07 Thread ak0ska
We're still just getting familiar with PuppetDB, so at this point it's too early to say how fine grained we need this feature to be. We've already set up a proxy (as you recommended) and this solution suites us for now. On Friday, October 26, 2012 8:56:26 PM UTC+2, Nick Lewis wrote: On

[Puppet Users] Re: PuppetDB API permissions

2012-10-26 Thread Nick Lewis
On Friday, October 26, 2012 7:24:18 AM UTC-7, ak0ska wrote: Hello, Is it possible to control from which nodes is it allowed to execute commands like replace catalog and replace facts, and which nodes can only do queries (but no changes)? It seems like once someone could access the