Project

General

Profile

Feature #39

Node Authentication

Added by Carl Caum almost 10 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
External Nodes
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

We need the ability to authenticate nodes before serving an external nodes request. One box should not be allowed to access the parameters and classes of another. Parameters can potentially contain sensitive information.

Associated revisions

Revision ae763d61 (diff)
Added by Trevor Vaughan - Onyx Point over 8 years ago

Completed README

Refs #26
Closes #39

History

#1 Updated by Ohad Levy almost 10 years ago

Do you mean the external node lookup script, the web interface YAML link or both?

how would you want to restrict it? based on hostnames?

#2 Updated by Carl Caum almost 10 years ago

The external node lookup script. I think we should use certs. We could just use puppetca.

What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.

#3 Updated by Ohad Levy almost 10 years ago

Carl Caum wrote:

The external node lookup script. I think we should use certs. We could just use puppetca.

What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.

if you just want plain SSL authentication, that you would need to use passenger / mongrel and enforce the SSL verification.
this will allow any puppet signed certificate to contact foreman.

this will only solve your case (where you are running without a puppetmaster), maybe we still need an allowed host list where the puppetmasters can be verified.

#4 Updated by Ohad Levy almost 10 years ago

  • Status changed from New to Need more information
  • Assignee changed from Ohad Levy to Carl Caum

is this still required? does using SSL provides you a solution or do you still see a need for Foreman to do something?

#5 Updated by Benjamin Papillon almost 7 years ago

Hello,

Did you solved your request by using apache access mecanism (cert or anything)?
Is this still required?

Benjamin

#6 Updated by Carl Caum almost 7 years ago

  • Status changed from Need more information to Closed

This is no longer required. Thanks for following up.

Also available in: Atom PDF