MCollective - Restricted Access
26 views
Skip to first unread message
Tom Tucker
Jun 4, 2015, 1:47:25 PM6/4/15
to puppet...@googlegroups.com
Is it possible to limit which node can execute mco related commands? Ideally I would only want an admin node(s) to have this level of access.
Thanks in advance,
# rpm -qa | egrep 'mcol|pupp'
puppetserver-1.0.8-1.el6.noarch
mcollective-service-common-3.1.3-1.el6.noarch
mcollective-2.8.2-1.el6.noarch
mcollective-puppet-common-1.10.0-1.el6.noarch
mcollective-nettest-agent-3.0.4-1.el6.noarch
mcollective-package-agent-4.4.0-1.el6.noarch
mcollective-client-2.8.2-1.el6.noarch
mcollective-service-agent-3.1.3-1.el6.noarch
mcollective-puppet-client-1.10.0-1.el6.noarch
mcollective-nettest-common-3.0.4-1.el6.noarch
mcollective-nettest-client-3.0.4-1.el6.noarch
mcollective-package-common-4.4.0-1.el6.noarch
mcollective-package-client-4.4.0-1.el6.noarch
puppetlabs-release-6-11.noarch
puppet-3.8.1-1.el6.noarch
mcollective-common-2.8.2-1.el6.noarch
mcollective-service-client-3.1.3-1.el6.noarch
mcollective-puppet-agent-1.10.0-1.el6.noarch
mcollective-facter-facts-1.0.0-1.noarch
puppet-server-3.8.1-1.el6.noarch
Christopher Wood
Jun 4, 2015, 2:29:40 PM6/4/15
to puppet...@googlegroups.com
On Thu, Jun 04, 2015 at 01:47:16PM -0400, Tom Tucker wrote:
> Is it possible to limit which node can execute mco related commands?
> Ideally I would only want an admin node(s) to have this level of access.
> Thanks in advance,
Node, probably not. Every node has to have a socket to the stomp middleware.
> Is it possible to limit which node can execute mco related commands?
> Ideally I would only want an admin node(s) to have this level of access.
> Thanks in advance,
However, you can definitely limit commands on a per-person basis. Look into a combination of Action Policy Authorization Plugin and some kind of rsa or ssh key based auth. I've successfully implemented the ssh key based auth.
https://github.com/puppetlabs/mcollective-actionpolicy-auth
https://github.com/puppetlabs/mcollective-sshkey-security
There's also mcollect...@googlegroups.com for more specific mco questions.
> # rpm -qa | egrep 'mcol|pupp'
> puppetserver-1.0.8-1.el6.noarch
> mcollective-service-common-3.1.3-1.el6.noarch
> mcollective-2.8.2-1.el6.noarch
> mcollective-puppet-common-1.10.0-1.el6.noarch
> mcollective-nettest-agent-3.0.4-1.el6.noarch
> mcollective-package-agent-4.4.0-1.el6.noarch
> mcollective-client-2.8.2-1.el6.noarch
> mcollective-service-agent-3.1.3-1.el6.noarch
> mcollective-puppet-client-1.10.0-1.el6.noarch
> mcollective-nettest-common-3.0.4-1.el6.noarch
> mcollective-nettest-client-3.0.4-1.el6.noarch
> mcollective-package-common-4.4.0-1.el6.noarch
> mcollective-package-client-4.4.0-1.el6.noarch
> puppetlabs-release-6-11.noarch
> puppet-3.8.1-1.el6.noarch
> mcollective-common-2.8.2-1.el6.noarch
> mcollective-service-client-3.1.3-1.el6.noarch
> mcollective-puppet-agent-1.10.0-1.el6.noarch
> mcollective-facter-facts-1.0.0-1.noarch
> puppet-server-3.8.1-1.el6.noarch
>
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [1]puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> [2]https://groups.google.com/d/msgid/puppet-users/CAGymF1Ac%3DEKOanL4kjGjJtJksjPRLJfomYtAa6Edv%2BLpVcx-NA%40mail.gmail.com.
> For more options, visit [3]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. mailto:puppet-users...@googlegroups.com
> 2. https://groups.google.com/d/msgid/puppet-users/CAGymF1Ac%3DEKOanL4kjGjJtJksjPRLJfomYtAa6Edv%2BLpVcx-NA%40mail.gmail.com?utm_medium=email&utm_source=footer
> 3. https://groups.google.com/d/optout
Reply all
Reply to author
Forward
0 new messages