On Wednesday, August 7, 2013 9:31:21 AM UTC-7, Andy Parker wrote: > mjz, thanks for all of your work on this! This is really cool. > > I glanced at your changes and noticed that it is turning into a shotgun > across the codebase. I'm wondering if there is some sort of "generic > auth/authz" api that puppet could have around kerberos/spnego and x.509 > certs. Obviously the command line utilities will need to exist for managing > certs, but maybe internal to the code there are some clearer separations > that could be made. The idea of a certificate shows up all over the place > in puppet and with kerberos it probably shouldn't. Or at least it shouldn't > show up in the same form. >
I can't thing of an authentication API that would span PKI and Kerberos... The usage patterns (SSL is transport level, SPNEGO is HTTP level) and the credential lifecycles are different enough that it may be difficult to build a "clean" abstraction across both. We could probably "raise" the level of the client pieces to HTTP auth instead of just SPNEGO/GSSAPI, I guess. But the other common options (basic and digest) require configuring the agent with a password. Puppet does such a good job making the PKI convenient that I can't see much benefit in testing and supporting basic or digest auth. Kerberos OTOH and especially Active Directory are common enough alternatives to PKI... The key changes were surprisingly straightforward from my POV: 1) support REMOTE_USER on the server - externalizing most of the logic to another service. 2) support SPNEGO via GSSAPI on each request. 3) support running the agent without a client certificate. One of my questions in the ARM is related to this discussion: > QUESTION: Is there an MCollective expert who could outline the MCollective road map and how it would interact with Kerberos infrastructure? Is the intent that MCollective be used for agent -> master communication (and authentication) in the future? That would be a logical evolution to me. (And if not we certainly need to improve the HTTP Connection:close behavior that we have today.) -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
