Meanwhile I found a solution ... I just use environment names which can't be guessed ... like
On puppet.conf on the puppetmaster: [math-34lkdfjop34j-dev] modulepath = /etc/puppet/data/math/dev/modules manifest = /etc/puppet/date/math/dev/manifests/init.pp [math-34lkdfjop34j-prd] modulepath = /etc/puppet/data/math/prd/modules manifest = /etc/puppet/date/math/prd/manifests/init.pp [infk-.289n3D0dg2-dev] modulepath = /etc/puppet/data/inf/dev/modules manifest = /etc/puppet/date/inf/dev/manifests/init.pp [infk-.289n3D0dg2-prd] modulepath = /etc/puppet/data/inf/dev/modules manifest = /etc/puppet/date/inf/prd/manifests/init.pp So the math department has it's own user math. With this, they have only access to /etc/puppet/data/math/ So they know their own environments, but they don't know the environment names of the other puppet users. The puppet.conf on the puppet server is only readable by the puppetmaster deamon ... It this suitable way? Philipp Macno schrieb: > I do that in this way: > > On puppet.conf on the puppetmaster: > ----------------------------------- > [puppetmasterd] > reports = store,rrdgraph,tagmail,log > autosign = true > environments = alpha,beta,gamma > manifest = /no/file > > [beta] > modulepath = /etc/puppet/data/beta/ > manifest = /etc/puppet/manifests/site-beta.pp > > [alpha] > modulepath = /etc/puppet/data/alpha/ > manifest = /etc/puppet/manifests/site-alpha.pp > > [gamma] > modulepath = /etc/puppet/data/gamma/ > manifest = /etc/puppet/manifests/site-gamma.pp > ----------------------------------- > > /etc/puppet/manifests/site-beta.pp has something like: > import "project_beta" (a module, in where you define your > infrastructure, placed in /etc/puppet/data/beta/ ) > > Permissions on /etc/puppet/data/beta/ are limited to the users/groups > that can manage files for the beta environment. > > > On puppet.conf on the client (for example of the beta environment): > [main] > vardir = /var/lib/puppet > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = $vardir/ssl > environment = beta > > [puppetd] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > environments = beta > > > > You can define also testing / production environments for each > department, with something like: > > On clients: > [main] > vardir = /var/lib/puppet > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = $vardir/ssl > environment = betaprod > > [puppetd] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > environments = betatest,betaprod > > (normal puppetruns use beta-prod, with "puppetd -t -- > environment=betatest" you run on the test environment of beta). > > puppet.conf on the puppet master becomes something like: > [puppetmasterd] > reports = store,rrdgraph,tagmail,log > autosign = true > environments = alphatest,alphaprod,betatest,betaprod ... > manifest = /no/file > > > [betatest] > modulepath = /etc/puppet/data/beta/test/ > manifest = /etc/puppet/manifests/site-beta.pp > > [betaprod] > modulepath = /etc/puppet/data/beta/prod/ > manifest = /etc/puppet/manifests/site-beta.pp > > > /etc/puppet/data/beta/test/ and /etc/puppet/data/beta/prod/ are both > git clones that pull from something like /etc/puppet/data/beta/ > gitrepo > > My2c > > Alessandro Franceschi > > On 7 Set, 10:24, philipp Hanselmann <philipp.hanselm...@gmail.com> > wrote: > >> We are planning to use a puppet server for several internal customers at >> our school (ETHZ - Swiss Fedral Institute of Technology Zürich). >> >> One way could be to choose a separate environment for each customer ... >> >> Each customer will get a normal user on the puppet server. With this he >> can edit his files inside his own environment path ... >> >> But how can we ensure that the customers are separated? It should NOT >> be possible for customer X to choose a environment from customer Y. >> >> Is there a way to implement this? >> >> Philipp Hanselmann >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---