Feature #7407
Puppet master should provide variables for secure node identification
| Status: | Accepted | Start date: | 05/05/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | usability | |||
| Target version: | 3.X | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | ||||
| Votes: | 0 |
Description
The puppet master should provide a set of variables, with a common prefix, to securely identify the connecting node, to be used in manifests and templates.
I would like to see:
- the certificate name of the connecting node (cn, commonname)
- the IP address of the connecting node (which will not necessarily be unique)
- the timestamp, made by the master, when the node connected
name¶
As of now, variables like $certname and $fqdn seem to be provided by the node.
I would like to not have to trust too much of what the node is sending to the master.
time¶
Primarily used for auditing purposes.
If a node has incorrect time set (for instance, far into the future), this will propagate as far as the dashboard.
I would like to have the time of the connection, set by the master.
address¶
Primarily used for auditing purposes.
Alternative example: When a laptop node is “not on the local network”, configure only important, low-bandwidth or non-sensitive things.
History
Updated by Daniel Pittman about 1 year ago
- Category set to usability
- Status changed from Unreviewed to Needs Decision
- Assignee set to Nigel Kersten
I think this is a reasonable request, provided we document the limitations of the information, and address the security issues around keeping them appropriately secure – check we don’t allow a hostile node to overwrite them, or the user to replace them incorrectly.
Updated by Nigel Kersten about 1 year ago
- Status changed from Needs Decision to Accepted
- Assignee deleted (
Nigel Kersten) - Target version set to 3.X
Sounds like we should be exposing a ‘client’ hash of some kind.
$client['address'] etc?