On Mar 5, 2011, at 12:32 PM, James Turnbull wrote: > puppet.conf: > [roles] > admin=APIkey > ... > auth.conf: > allow admin
I agree that this seems like a step up from host-based auth. I don't see how it's role-based, aside from calling it a "role" in puppet.conf. No, I take that back. If the API keys are not unique, then giving a key to a user is essentially role assignment. In that case, how do you revoke a user's role? Disabling the key would be like removing the role entirely, revoking access for everyone else with the key. What is the source of truth? If we store Dashboard's RBAC in Dashboard's database (for the sake of argument) and we have Puppet's RBAC in a config file then they'll be out of sync, unless special effort is expended. We could argue that they're different sets with no overlapping members, that having access to a thing in Dashboard is completely different from having access to it in Puppet. At this point that's the only way I can see it working. Sorry to have more questions than answers. It does seem like the right direction, James. r -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.