Project

General

Profile

Actions

Feature #39

closed

Node Authentication

Added by Carl Caum about 15 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
External Nodes
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

We need the ability to authenticate nodes before serving an external nodes request. One box should not be allowed to access the parameters and classes of another. Parameters can potentially contain sensitive information.

Actions #1

Updated by Ohad Levy about 15 years ago

Do you mean the external node lookup script, the web interface YAML link or both?

how would you want to restrict it? based on hostnames?

Actions #2

Updated by Carl Caum about 15 years ago

The external node lookup script. I think we should use certs. We could just use puppetca.

What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.

Actions #3

Updated by Ohad Levy about 15 years ago

Carl Caum wrote:

The external node lookup script. I think we should use certs. We could just use puppetca.

What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.

if you just want plain SSL authentication, that you would need to use passenger / mongrel and enforce the SSL verification.
this will allow any puppet signed certificate to contact foreman.

this will only solve your case (where you are running without a puppetmaster), maybe we still need an allowed host list where the puppetmasters can be verified.

Actions #4

Updated by Ohad Levy about 15 years ago

  • Status changed from New to Need more information
  • Assignee changed from Ohad Levy to Carl Caum

is this still required? does using SSL provides you a solution or do you still see a need for Foreman to do something?

Actions #5

Updated by Benjamin Papillon about 12 years ago

Hello,

Did you solved your request by using apache access mecanism (cert or anything)?
Is this still required?

Benjamin

Actions #6

Updated by Carl Caum about 12 years ago

  • Status changed from Need more information to Closed

This is no longer required. Thanks for following up.

Actions

Also available in: Atom PDF