Feature #39
closed
Added by Carl Caum about 15 years ago.
Updated about 12 years ago.
Description
We need the ability to authenticate nodes before serving an external nodes request. One box should not be allowed to access the parameters and classes of another. Parameters can potentially contain sensitive information.
Do you mean the external node lookup script, the web interface YAML link or both?
how would you want to restrict it? based on hostnames?
The external node lookup script. I think we should use certs. We could just use puppetca.
What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.
Carl Caum wrote:
The external node lookup script. I think we should use certs. We could just use puppetca.
What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.
if you just want plain SSL authentication, that you would need to use passenger / mongrel and enforce the SSL verification.
this will allow any puppet signed certificate to contact foreman.
this will only solve your case (where you are running without a puppetmaster), maybe we still need an allowed host list where the puppetmasters can be verified.
- Status changed from New to Need more information
- Assignee changed from Ohad Levy to Carl Caum
is this still required? does using SSL provides you a solution or do you still see a need for Foreman to do something?
Hello,
Did you solved your request by using apache access mecanism (cert or anything)?
Is this still required?
Benjamin
- Status changed from Need more information to Closed
This is no longer required. Thanks for following up.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by