modify default ACL for node requests?

5 views
Skip to first unread message

Nigel Kersten

unread,
Apr 19, 2011, 3:52:24 PM4/19/11
to public puppet dev
If you add a rule like this to puppet 2.7.0rc1 in auth.conf

path ~ ^/node/([^/]+)$
method find
allow $1

then nodes are able to find their own node definitions from the master
like this:

$ puppet node find <certname> --terminus rest --server <servername>

This is really useful, as it allows you to do things from the node
like find out what environment/classes/parameters an ENC is going to
define for you. This would allow us to modify the configurer face to
work out what environment you are going to be assigned before you do
any pluginsync.

Question: Is this an appropriate default ACL to put in place? Are
there negative implications?

--
Nigel Kersten
Product, Puppet Labs
@nigelkersten

Daniel Pittman

unread,
Apr 19, 2011, 5:06:58 PM4/19/11
to puppe...@googlegroups.com, Nigel Kersten


I can't identify any: there is a theoretical minor information leak,
in that nodes can now see the input variables that the ENC sets, not
just the outcome of compiling a catalog with them, but that seems ...
unlikely to actually present any security or information risk that
wasn't already present.

Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons

Luke Kanies

unread,
Apr 19, 2011, 7:02:33 PM4/19/11
to puppe...@googlegroups.com
On Apr 19, 2011, at 2:06 PM, Daniel Pittman wrote:

> On Tue, Apr 19, 2011 at 12:52, Nigel Kersten <ni...@puppetlabs.com> wrote:
>
>> If you add a rule like this to puppet 2.7.0rc1 in auth.conf
>>
>> path ~ ^/node/([^/]+)$
>> method find
>> allow $1
>>
>> then nodes are able to find their own node definitions from the master
>> like this:
>>
>> $ puppet node find <certname> --terminus rest --server <servername>
>>
>> This is really useful, as it allows you to do things from the node
>> like find out what environment/classes/parameters an ENC is going to
>> define for you. This would allow us to modify the configurer face to
>> work out what environment you are going to be assigned before you do
>> any pluginsync.
>>
>> Question: Is this an appropriate default ACL to put in place? Are
>> there negative implications?
>
>
> I can't identify any: there is a theoretical minor information leak,
> in that nodes can now see the input variables that the ENC sets, not
> just the outcome of compiling a catalog with them, but that seems ...
> unlikely to actually present any security or information risk that
> wasn't already present.

Seems like a good move to me.

--
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents. --Nathaniel Borenstein
---------------------------------------------------------------------
Luke Kanies -|- http://puppetlabs.com -|- http://about.me/lak


Reply all
Reply to author
Forward
0 new messages