Custom policy executable
427 views
Skip to first unread message
George Brown
Feb 17, 2014, 9:20:50 AM2/17/14
to puppet...@googlegroups.com
Hi,
I'm trying to create an autosign policy which checks for a custom attribute in the CSR but I'm having some issue with the master not signing the request.
My client has the following in /etc/puppet/csr_attributes.yaml
My policy is a simple bash script, in this case checking for foo
#!/bin/bash
CUSTOM_ATTR=$(echo "$(cat)" | grep "challengePassword" | awk -F ":" '{print$2}')
if [[ "$CUSTOM_ATTR" == "foo" ]]
then
exit 0
else
exit 1
fi
I had tested with the following, I'm guessing the issue is with my script not reading in the CSR from puppet? If anyone has any examples of policies they have created I would love to see them (this seems to be lacking in the puppet documentation).
sudo openssl req -noout -text -in /var/lib/puppet/ssl/ca/requests/mynode.pem | /etc/puppet/autosign.sh; echo $?
0
Many thanks,
George
I'm trying to create an autosign policy which checks for a custom attribute in the CSR but I'm having some issue with the master not signing the request.
My client has the following in /etc/puppet/csr_attributes.yaml
custom_attributes:
1.2.840.113549.1.9.7: fooMy policy is a simple bash script, in this case checking for foo
#!/bin/bash
CUSTOM_ATTR=$(echo "$(cat)" | grep "challengePassword" | awk -F ":" '{print$2}')
if [[ "$CUSTOM_ATTR" == "foo" ]]
then
exit 0
else
exit 1
fi
I had tested with the following, I'm guessing the issue is with my script not reading in the CSR from puppet? If anyone has any examples of policies they have created I would love to see them (this seems to be lacking in the puppet documentation).
sudo openssl req -noout -text -in /var/lib/puppet/ssl/ca/requests/mynode.pem | /etc/puppet/autosign.sh; echo $?
0
Many thanks,
George
George Brown
Feb 17, 2014, 9:59:06 AM2/17/14
to puppet...@googlegroups.com
So After re-reading the docs http://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html#policy-executable-api
I've made the following modification which works.
#!/bin/bash
HOST=$1
CUSTOM_ATTR=$(openssl req -noout -text -in "/var/lib/puppet/ssl/ca/requests/$HOST.pem" | grep "challengePassword" | awk -F ":" '{print$2}')
I've made the following modification which works.
#!/bin/bash
HOST=$1
CUSTOM_ATTR=$(openssl req -noout -text -in "/var/lib/puppet/ssl/ca/requests/$HOST.pem" | grep "challengePassword" | awk -F ":" '{print$2}')
if [[ "$CUSTOM_ATTR" == "foo" ]]
then
exit 0
else
exit 1
fi
I'd still be interested to see what others are doing with policy based auto signing though.
Ryan Jacobson
May 8, 2014, 1:32:59 AM5/8/14
to puppet...@googlegroups.com, 321.g...@gmail.com
I'm doing the same thing as you.
In fact, your post is what I used to create my own policy. I couldn't find any other examples anywhere, so thank you!
I'm using ruby instead of sh as my executable:
#!/bin/ruby
exit(1) if ARGV.size == 0
host = ARGV[0]
custom_attr = `openssl req -noout -text -in "/var/lib/puppet/ssl/ca/requests/#{host}.pem" | grep "challengePassword" | awk -F ":" '{print$2}'`
exit(0) if custom_attr.strip == 'foo'
exit(1)
Reply all
Reply to author
Forward
0 new messages