Currently as there is no ACLs in puppetdb , when a test node in say development environment exports a resource e.g. an `Ssh_authorized_key`, nodes in say the production environment collect that. This violates the environmental boundries that normally exist for separation of changes defined by the git branch/puppet environment separation.
I would expect the default behaviour to limit collection of resource based on environments, however since that is not currently the case, we could enable that as a feature flag. It seem this environment information is in fact collected and available when collecting resources. Here is an example query:
{code} curl -G -H "Accept: application/json" 'http://localhost:8080/pdb/query/v4/resources' --data-urlencode 'query=["and",["=","exported", true],["=","environment","production"]]' {code}
{code}
{ "certname": "pe-201621-master.puppetdebug.vlan", "environment": "production", "exported": true, "file": "/opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/amq/broker.pp", "line": 172, ... {code}
|
|
|