[Puppet - Bug #7705] (Merged - Pending Release) Overhauling authorization system internals and interface
2012-08-01 00:11:31 GMT
- Status changed from Accepted to Merged - Pending Release
- Branch set to https://github.com/puppetlabs/puppet/pull/991
Merged into 3.x¶
Merged into master¶
- Author: Nick Fagerlund
- Status: Merged - Pending Release
- Priority: Normal
- Assignee: eric sorenson
- Category: security
- Target version: 3.x
- Affected Puppet version:
- Keywords: telly_deprecation
- Branch: https://github.com/puppetlabs/puppet/pull/991
When I’ve gone to document auth.conf, fileserver.conf, and now autosign.conf, I’ve run into the same pattern: I interview and get a consensus for how everyone thinks it works, I test it, and it turns out to work a: very differently, and b: non-optimally. (For example, autosign.conf is effectively useless if you’re using certnames that don’t look exactly like FQDNs.) I’m guessing I’d find something similar if I had any intention of ever documenting namespaceauth.conf.
Anyway, I now believe that the authorization code, especially the constellation of stuff surrounding and using Puppet::Network::AuthStore, is badly overcomplicated and at least partly misconceived. Issues stemming from this include the total lack of globbing or patterning in auth.conf (#5777 and #5966), auth.conf being useless for certain valid certnames (#7014, #7589) and otherwise basically assuming certname = DNS name, file parsing errors (#5010), behavior that appears based on misconceptions about how the system works (#7057), and more.
This issue is a little nebulous, but I believe we need to figure out where it’s necessary to specifically allow nodes to do things, design a flexible and simple underlying representation of these rights, and unify the way we express those rights in config files.
(Obviously this can’t happen until Telly, at the earliest.)--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To post to this group, send email to puppet-bugs <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-bugs+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.