On Tuesday, July 17, 2012 3:46:21 PM UTC-7, Jo wrote: > > Okay, I totally did see this in the release notes but I read it that you > weren't allowing certificates with IP addresses in them, not that you > wouldn't allow IP authentication in auth.conf at all. > > Jul 17 14:52:46 sj2-puppet puppet-master[13998]: Authentication based on > IP address is deprecated; please use certname-based rules instead > > I don't feel that it is reasonable to expect that every puppet customer > match up their naming scheme to their IP blocks, nor to want to list every > possible naming scheme in their authorization list when an IP bitmask will > do the job much more simply. > > I don't mind or care about IPs in certificates--I've never seen this, and > don't expect to. But disallowing IP-based authentication is going to be > very difficult at many sites, and possibly allow things which were never > intended. Please reconsider this. > > This is actually something of a misleading deprecation warning, I'm afraid. The change we plan to make is to distinguish "allow" and "allow_ip", to avoid confusing IPs and certnames. So the change you will need to make is to explicitly use "allow_ip" if you want to do IP-based authentication. However, adding that feature to 2.7.x, though backward compatible, turns out to require a fairly significant rework of some of the auth code, which is a risk we don't feel is appropriate. So the feature won't be in until 3, at which point it will be required.
That means we're in the awkward position of issuing a warning you can't actually fix yet, which is *really* not something we like to do. But it seems better to at least give some alert that you'll need to make a change in the future than to have it suddenly occur without forewarning. So yes, there's definitely a bit of an issue here, but I assure you we don't intend to remove IP-based authentication entirely. Nick Lewis > -- > Jo Rhett > Net Consonance : net philanthropy to improve open source and internet > projects. > > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/DtGsIKqCOTsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.