Feature #39: Node Authentication - Foreman

Actions

Copy link

Feature #39

closed

Node Authentication

Added by Carl Caum over 14 years ago. Updated over 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Carl Caum

Category:

External Nodes

Target version:

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

We need the ability to authenticate nodes before serving an external nodes request. One box should not be allowed to access the parameters and classes of another. Parameters can potentially contain sensitive information.

Actions

Copy link

Updated by Ohad Levy over 14 years ago

Do you mean the external node lookup script, the web interface YAML link or both?

how would you want to restrict it? based on hostnames?

Actions

Copy link

Updated by Carl Caum over 14 years ago

The external node lookup script. I think we should use certs. We could just use puppetca.

What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.

Actions

Copy link

Updated by Ohad Levy over 14 years ago

Carl Caum wrote:

The external node lookup script. I think we should use certs. We could just use puppetca.

What gets tricky is puppetmasterless environments. We'll need some sort of differentiation between puppetmasters and node requests. A puppetmaster should be able to make requests for any node, but a node should only be able to make requests for itself.

if you just want plain SSL authentication, that you would need to use passenger / mongrel and enforce the SSL verification.
this will allow any puppet signed certificate to contact foreman.

this will only solve your case (where you are running without a puppetmaster), maybe we still need an allowed host list where the puppetmasters can be verified.

Actions

Copy link