On Mar 5, 2011, at 12:32 PM, James Turnbull wrote:
> Randall's request the other day about Dashboard RBAC prompted some
> thoughts about auth in Puppet too.
>
> Currently API access is controlled via auth.conf:
>
> # path /path/to/resource
> # [environment envlist]
> # [method methodlist]
> # [auth[enthicated] {yes|no|on|off|any}]
> # allow [host|ip|*]
> # deny [host|ip]
>
> So the API authentication recognizes host/IPs but nothing else.
>
> It occurs to me that the logical extension of a Dashboard RBAC system
> (or perhaps even moving elements of the problem upstream) is for
> auth.conf to recognize users or perhaps better "roles" as an
> authentication construct.
>
> For example.
>
> puppet.conf:
>
> [roles]
> admin=APIkey
>
> or roles.conf or whatever file.
>
> auth.conf:
>
> # allow [host|ip|role|*]
> # deny [host|ip|role]
>
> allow admin
>
> Then:
>
> curl http://puppet/path/to/resource/production/blah?key=APIkey
I'm thinking that if you have this much, keeping in mind that people might want
to use https without client-side certificates with this would be useful. That
way you're able to use the key over a network/internet without the world being
able to see it.
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
