Jira (PUP-7522) Add the ability to view trusted fact values from an agent

10 views
Skip to first unread message

Nate McCurdy (JIRA)

unread,
May 11, 2017, 7:13:03 PM5/11/17
to puppe...@googlegroups.com
Nate McCurdy created an issue
 
Puppet / Improvement PUP-7522
Add the ability to view trusted fact values from an agent
Issue Type: Improvement Improvement
Assignee: Unassigned
Created: 2017/05/11 4:12 PM
Priority: Normal Normal
Reporter: Nate McCurdy

There is no current way
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Nate McCurdy (JIRA)

unread,
May 11, 2017, 7:25:02 PM5/11/17
to puppe...@googlegroups.com
Nate McCurdy updated an issue
Change By: Nate McCurdy
h2. The problem

 There is no current way —at least that I could find—for an agent to be able to view its trusted fact values using a {{puppet}} command.

Someone that is troubleshooting a Puppet-built node would need to do one of:

* Have root access on the Puppet master to run {{puppet cert print <node-name>}}
* Have API access to do a PuppetDB query
* Run {{openssl x509 -text -noout -in $(puppet config print hostcert)}} to view certificate extensions but not have the OID mapping for trusted facts.

The values of a trusted fact are not considered secret and are only trusted in that they've been signed by the CA. Also, they are plainly visible in the x509 certificate. An admin/Puppet user shouldn't need to know the intricacies of the {{openssl}} command to view that data. It seems silly that there is not a way to view this data from a {{puppet}} command.

h2. The improvement

There should be some command, {{puppet <something>}}, that shows the values of local trusted facts.

Nate McCurdy (JIRA)

unread,
May 11, 2017, 7:25:03 PM5/11/17
to puppe...@googlegroups.com
Nate McCurdy updated an issue
h2. The problem

There is no current way—at least that I could find—for an agent to be able to view its trusted fact values using a {{puppet}} command.

Someone that is troubleshooting a Puppet-built node would need to do one of:

* Have root access on the Puppet master to run {{puppet cert print <node-name>}}
* Have API access to do a PuppetDB query
* Run {{openssl x509 -text -noout -in $(puppet config print hostcert)}} to view certificate extensions but not have the OID mapping for trusted facts.

The values of a trusted fact are not considered secret and are only trusted in that they've been signed by the CA. Also, they are plainly visible in the x509 certificate. An admin/Puppet user shouldn't need to know the intricacies of the {{openssl}} command to view that data. It seems silly that there is not a way to view this data from a {{puppet}} command.

h2. The improvement

There should be some command, {{puppet <something>}}, that shows the values of local trusted facts  and their OID mappings if using one of the named OID values .

Nate McCurdy (JIRA)

unread,
May 11, 2017, 7:26:02 PM5/11/17
to puppe...@googlegroups.com
Nate McCurdy updated an issue
Change By: Nate McCurdy
Team: Agent

Josh Cooper (JIRA)

unread,
May 16, 2017, 7:27:02 PM5/16/17
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Labels: help_wanted triaged

Josh Cooper (JIRA)

unread,
May 16, 2017, 7:27:02 PM5/16/17
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Labels: triaged

Owen Rodabaugh (JIRA)

unread,
Jan 9, 2018, 11:37:06 AM1/9/18
to puppe...@googlegroups.com
Owen Rodabaugh updated an issue
Change By: Owen Rodabaugh
CS Priority: Normal
CS Impact: While these facts can be found in the console, there are times when troubleshooting on the node it would be very nice to just get them via some kinda of puppet CLI command.
CS Severity: 2 - Annoyance
CS Business Value: 4 - $$$$$
CS Frequency: 3 - 25-50% of Customers
This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Atlassian logo

Ralph Bolton (JIRA)

unread,
Sep 12, 2018, 9:36:02 AM9/12/18
to puppe...@googlegroups.com
Ralph Bolton commented on Improvement PUP-7522
 
Re: Add the ability to view trusted fact values from an agent

In a similar style to https://tickets.puppetlabs.com/browse/PUP-2630, I have been using:

puppet apply -e 'notify{"abc$trusted":}'
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (Jira)

unread,
Apr 1, 2020, 2:18:03 AM4/1/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-7522

We could pretty easily add this to puppet ssl print. Just need to call something like:

password = @cert_provider.load_private_key_password
 
ssl_context = @ssl_provider.load_context(certname: certname, password: password)
 
puts ssl_context.client_cert.to_text

See the puppet ssl verify command.
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Apr 1, 2020, 2:18:03 AM4/1/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Labels: beginner help_wanted

Josh Cooper (Jira)

unread,
Dec 2, 2020, 5:33:02 PM12/2/20
to puppe...@googlegroups.com

Josh Cooper (Jira)

unread,
Dec 3, 2020, 4:53:04 PM12/3/20
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-7522
 
Re: Add the ability to view trusted fact values from an agent

So one issue with using the ruby bindings for openssl is that OpenSSL::X509::Certificate#to_text will print the long friendly name for the extension (assuming the puppet ssl application registers the puppet extensions). So you'll see something like:

            Puppet Node Role Name:
 
                ..ci

But when writing a manifest, the trusted hash is keyed by the short friendly name:

$trusted['pp_role']

So I'm thinking it would be most helpful if the command printed the short friendly name, with perhaps an option to show the full OID (in this example "1.3.6.1.4.1.34380.1.1.13").

What about something like?

$ bundle exec puppet ssl show
 
Subject: CN=localhost
 
Issuer: CN=Puppet CA: localhost
 
Serial: 3
 
Validity: '2020-12-02 19:23:06 UTC' to '2025-12-02 19:23:06 UTC'
 
Extensions:
 
  pp_role: ci
 
  pp_zone: lab
 
  pp_environment: devel
 
  pp_datacenter: us1
 
  pp_application: jenkins

Are there other fields you'd want to see (fingerprint, subjectKeyIdentifier, authorityKeyIdentifier)?

Josh Cooper (Jira)

unread,
Feb 26, 2021, 8:45:02 PM2/26/21
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Unassigned
 
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (Jira)

unread,
Feb 26, 2021, 8:45:03 PM2/26/21
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper

Josh Cooper (Jira)

unread,
Feb 26, 2021, 8:47:01 PM2/26/21
to puppe...@googlegroups.com
Josh Cooper commented on Improvement PUP-7522
 
Re: Add the ability to view trusted fact values from an agent

This was fixed in PUP-10888. The "puppet ssl show" command will not print the textual version of the agent's client cert, just like puppet cert print used to. Closing this as a dup.
Reply all
Reply to author
Forward
0 new messages