Feature #39
Node Authentication
| Status: | Need more information | Start: | 10/07/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: |  Carl Caum |
% Done: | 0% |
|
| Category: | External Nodes | |||
| Target version: | - | |||
| Backlog: | Difficulity: | |||
| Votes: | 0 |
Description
We need the ability to authenticate nodes before serving an external nodes request. One box should not be allowed to access the parameters and classes of another. Parameters can potentially contain sensitive information.
History
Updated by Ohad Levy over 2 years ago
Do you mean the external node lookup script, the web interface YAML link or both?
how would you want to restrict it? based on hostnames?
Updated by Carl Caum over 2 years ago
The external node lookup script. I think we should use certs. We could just use puppetca.
What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.
Updated by Ohad Levy over 2 years ago
Carl Caum wrote:
The external node lookup script. I think we should use certs. We could just use puppetca.
What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.
if you just want plain SSL authentication, that you would need to use passenger / mongrel and enforce the SSL verification.
this will allow any puppet signed certificate to contact foreman.
this will only solve your case (where you are running without a puppetmaster), maybe we still need an allowed host list where the puppetmasters can be verified.
Updated by Ohad Levy over 2 years ago
- Status changed from New to Need more information
- Assigned to changed from Ohad Levy to Carl Caum
is this still required? does using SSL provides you a solution or do you still see a need for Foreman to do something?
