Randall's request the other day about Dashboard RBAC prompted some
thoughts about auth in Puppet too.
Currently API access is controlled via auth.conf:
# path /path/to/resource
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
So the API authentication recognizes host/IPs but nothing else.
It occurs to me that the logical extension of a Dashboard RBAC system
(or perhaps even moving elements of the problem upstream) is for
auth.conf to recognize users or perhaps better "roles" as an
authentication construct.
For example.
puppet.conf:
[roles]
admin=APIkey
or roles.conf or whatever file.
auth.conf:
# allow [host|ip|role|*]
# deny [host|ip|role]
allow admin
Then:
curl http://puppet/path/to/resource/production/blah?key=APIkey
I think this could be done pretty simply and gives us the flexibility to
have basic RBAC for Puppet too with the potential to extend it to other
aspects of Puppet such as workflow.
Anyone have any thoughts? I am sure there are smarter ways of doing the
API key piece and auth'ing the role for example.
Regards
James
--
James Turnbull
Puppet Labs
1-503-734-8571
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
