|
At our site, we're using an nginx reverse proxy to expose only the query endpoint to our users.
Currently, we're using SSL client authentication (as PuppetDB does) and everything works fine with this setup :
-
raw queries work
-
puppet-query tool works
Currently, with this setup, every user needs to setup its certificate and private key (unprotected) and point those files in the client-tools/puppetdb.conf configuration file.
This would be great to have a new feature that allows user to use an encrypted private key and to be prompted for the decryption password. Or to use environment to pass the private key password along.
Another cool feature would be to support a pluggable authentication mechanism.
This way each site could adapt and write code based on its requirements and needs.
For instance at our site, we'd like to use HTTP Negotiate / SPNEGO to authenticate our users with their Kerberos credentials and such a plugin system would allow us to develop our authentication plugin.
Thanks for your consideration
Cheers
Rémi
|
