Jira (PDB-3351) PuppetDB should allow collection only from originating nodes environments as a feature flag

[Zachary Smith (JIRA)]

Zachary Smith updated an issue

PuppetDB / PDB-3351 PuppetDB should allow collection only from originating nodes environments as a feature flag Change By: Zachary Smith Summary: PuppetDB should allow collection  only  from originating nodes environments as a feature flag Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Zachary Smith (JIRA)]

Zachary Smith updated an issue

PuppetDB / PDB-3351 PuppetDB should allow collection only from originating nodes environments as a feature flag Change By: Zachary Smith

Currently as there is no ACLs in puppetdb , when a test node in say development environment exports a resource e.g. an `Ssh_authorized_key`, nodes in say the production environment collect that. This violates the environmental boundries that normally exist for separation of changes defined by the git branch/puppet environment separation.  I would expect the default behaviour to limit collection of resource based on environments, however since that is not currently the case, we could enable that as a feature flag. It seem this environment information  is in fact collected and available when collecting resources. Here is an example query:  {code} curl -G -H  "Accept: application/json" 'http://localhost:8080/pdb/query/v4/resources' --data-urlencode 'query=["and",["=","exported", true],["=","environment","production"]]' {code} {code} {         "certname": "pe-201621-master.puppetdebug.vlan",         "environment": "production",         "exported": true,         "file": "/opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/amq/broker.pp",         "line": 172,        ... {code} # #  Proposed Solution While I believe ACLs are likely a good long term fix, I believe we could simply allow users to append this environment clause in during compilation. It appears we currently construct a query in the resource terminus here https://github.com/puppetlabs/puppetdb/blob/master/puppet/lib/puppet/indirector/resource/puppetdb.rb#L18-L22 I believe if we simply just add the nodes environment (e.g. `node.environment` to the request hash ) likely as a key called environment https://github.com/puppetlabs/puppetdb/blob/master/puppet/lib/puppet/indirector/resource/puppetdb.rb#L13 we could then use that in the construction of the query. The terminus currently includes the `Puppet::Util::Puppetdb` class and that has the `Puppet::Util::Puppetdb.config` method that can be used to lookup configuration params from puppetdb.conf. This simply means we could enable this feature as a flag in that configuration default it to off.

Add Comment

[Zachary Smith (JIRA)]

Zachary Smith updated an issue

PuppetDB / PDB-3351 PuppetDB should allow collection only from originating nodes environments as a feature flag Change By: Zachary Smith

Currently as there is no ACLs in puppetdb , when a test node in say development environment exports a resource e.g. an `Ssh_authorized_key`, nodes in say the production environment collect that. This violates the environmental boundries that normally exist for separation of changes defined by the git branch/puppet environment separation.  I would expect the default behaviour to limit collection of resource based on environments, however since that is not currently the case, we could enable that as a feature flag. It seem this environment information  is in fact collected and available when collecting resources. Here is an example query:  {code} curl -G -H  "Accept: application/json" 'http://localhost:8080/pdb/query/v4/resources' --data-urlencode 'query=["and",["=","exported", true],["=","environment","production"]]' {code} {code} {         "certname": "pe-201621-master.puppetdebug.vlan",         "environment": "production",         "exported": true,         "file": "/opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/amq/broker.pp",         "line": 172,        ... {code}

# Proposed Solution

While I believe ACLs are likely a good long term fix, I believe we could simply allow users to append this environment clause in during compilation. It appears we currently construct a query in the resource terminus here https://github.com/puppetlabs/puppetdb/blob/master/puppet/lib/puppet/indirector/resource/puppetdb.rb#L18-L22 I believe if we simply just add the nodes environment (e.g. `node.environment` to the request hash ) likely as a key called

`:  environment `

https://github.com/puppetlabs/puppetdb/blob/master/puppet/lib/puppet/indirector/resource/puppetdb.rb#L13 we could then use that in the construction of the query. The terminus currently includes the `Puppet::Util::Puppetdb` class and that has the `Puppet::Util::Puppetdb.config` method that can be used to lookup configuration params from puppetdb.conf. This simply means we could enable this feature as a flag in that configuration default it to off.

Add Comment

[Claudia Petty (Jira)]

Claudia Petty updated an issue

PuppetDB / PDB-3351 PuppetDB should allow collection only from originating nodes environments as a feature flag

Change By: Claudia Petty Labels: new-feature

Add Comment

This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8)