Thanks Michael! I understand the inter-node security. I'm trying to answer our internal security folks about how execution of mco commands is restricted on a (authorized) node to root or authorized users. It appeared to me that this was accomplished by having the config files be 600.
On Tue, Jun 21, 2016 at 3:25 PM, Michael Smith <michael.sm...@puppet.com> wrote: > There is a section of PE docs that talks about MCollective security as > setup by PE ( > https://docs.puppet.com/pe/latest/orchestration_overview.html#security), > as well as points to security notes in the OSS MCollective docs. > > In short, having the contents of the config files is sufficient to connect > to ActiveMQ, but when using the SSL-based security module requests should > only be honored by the end-points (MCollective servers) when they also have > certificates for the sender in a configured location. > > On Tue, Jun 21, 2016 at 1:22 PM, Shawn Ferry <shawn.fe...@oracle.com> > wrote: > >> And for everyone who is wondering what bugs; I'm unintentionally cross >> posting so that's really just for Geoffery >> >> On Jun 21, 2016, at 16:20, Shawn Ferry <shawn.fe...@oracle.com> wrote: >> >> Did you see the recent spate of mcollective bugs that were just filed? >> >> On of them does talk a about file perms iirc >> >> Shawn >> >> On Jun 21, 2016, at 16:06, Geoffrey Gardella <garde...@gmail.com> wrote: >> >> Hi All, >> working on our port of MCollective into Solaris. I wanted to confirm that >> we rely on the permissions of server.cfg and client.cfg being 600 to keep >> non-root users from executing commands with MCollective. That is, if those >> files are say, 644, then any user on the system can run any MCollective >> command. Are other (role-based restrictions) there in the Linux world. >> Trying to find docs, but coming up empty. >> >> Thanks, >> Geoffrey >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/6286c707-c1cb-4741-a49b-5e5b2b6400d9%40googlegroups.com >> <https://groups.google.com/d/msgid/puppet-dev/6286c707-c1cb-4741-a49b-5e5b2b6400d9%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/2CB40F73-2E41-49E5-8C60-6941AD35B3F4%40oracle.com >> <https://groups.google.com/d/msgid/puppet-dev/2CB40F73-2E41-49E5-8C60-6941AD35B3F4%40oracle.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-dev/7Jrr0fG8wWY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > puppet-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/CABy1mMK%3D8ySB_HFsoVbXykgyymm4KkqjoPuQ4Qv%3DpBe9HyxkJw%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-dev/CABy1mMK%3D8ySB_HFsoVbXykgyymm4KkqjoPuQ4Qv%3DpBe9HyxkJw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAPA9Ot8iX2Uz4MyhB-rKFKeRQXbQ7KCAz3fcOD8y%2BsTSTy192g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
