Thanks Ken. It get your point and it totally makes sense.
On 15 February 2013 15:36, Ken Barber <k...@puppetlabs.com> wrote: > >> > My biggest concern is that nodes can access other nodes resources > stored > >> > in > >> > PuppetDB, which effectively means that parameters like passwords and > >> > other > >> > sensitive information is exposed. > >> > >> If the data is not exported this shouldn't be the case ordinarily. > > > > > > It actually is the case. For example a file resource does not have to be > > exported for its content to be stored in puppetdb. > > Yup agreed ... which is what I was trying to say here, probably not > very clearly though: > > "Obviously though if your content is uncontrolled it is possible for > someone to use a function from the puppet master to query data (FYI - > functions run on the puppetmaster, not the agents)." > > > I think just a simple separation would be sufficient. So that nodes by > > default wouldn't be able to access data from other environments. > > > > I would also be nice to be able easily query PuppetDB API by environment, > > something like: /v2/<environment>/nodes or > > /v2/nodes?environment=<environment>. > > So in this case for true separation the puppet master would need to > declare to the PuppetDB what environment it is constrained too. > Interesting problem, as confining PuppetDB access down to a > certificate would then not be enough to constrain this for security > purposes, as we don't hand out per environment Puppet master > certificates :-). > > Today, the way to do it would be - separate puppet master (each with > their own certificate) and separate PuppetDB instance, with whitelists > only allowing the master on a particular environment to talk to a > PuppetDB on the same environment. This may or not be desirable ... but > there are other levels of security separation that might deem this > necessary beyond PuppetDB. Hiera data is an example of other data one > would want to separate (especially hiera-gpg stored data). > > That is, if one truly wanted to keep environments separate for > security reasons - running completely separate hosts/clusters for each > environment for this would provide better guarantees to that end, not > just at an application level. With each environment maintaining its > own CA, master, puppetdb and hiera sources etc. > > ken. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Vaidas Jablonskis -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
