| I am in the process of implementing a custom internal facts indirector for PuppetDB with RBAC along with a custom version of "lookup" to basically solve this for our site and as part of this there are a couple of more aspects to it that I hadn't considered originally. My overarching outcome from getting this ticket implemented as I originally outlined was so that any non-root user could invoke "puppet lookup" with a RBAC token granting them access to PuppetDB (which as a non-root user they of course otherwise wouldn't have even on a Puppetmaster due to lack of permissions on the node's private key), pointed to an environment with a hiera configuration they could read so that the values would be correctly interpolated and resolved as they would during a root-based "puppet lookup". However, in addition to the token I found that I needed a PuppetDB configuration as well. As a non-root user it was trying to read my configurations from ~/.puppetlabs/etc/puppet. In my setup I have ended up looking for and reading the same configuration files that the pe-client-tools uses. Setting configuration per-user in ~/.puppetlabs/etc/puppet and leveraging the normal Puppet PuppetDB indirector configuration was a non-starter, the command needed to just work for an arbitrary user on the system with a token. While just implementing support for the PE RBAC token would be a step in the right direction, I'm not sure how it would be useful without also providing support for more of the whole end-to-end I've described. |
