Puppet

When I’ve gone to document auth.conf, fileserver.conf, and now autosign.conf, I’ve run into the same pattern: I interview and get a consensus for how everyone thinks it works, I test it, and it turns out to work a: very differently, and b: non-optimally. (For example, autosign.conf is effectively useless if you’re using certnames that don’t look exactly like FQDNs.) I’m guessing I’d find something similar if I had any intention of ever documenting namespaceauth.conf.

Anyway, I now believe that the authorization code, especially the constellation of stuff surrounding and using Puppet::Network::AuthStore, is badly overcomplicated and at least partly misconceived. Issues stemming from this include the total lack of globbing or patterning in auth.conf (#5777 and #5966), auth.conf being useless for certain valid certnames (#7014, #7589) and otherwise basically assuming certname = DNS name, file parsing errors (#5010), behavior that appears based on misconceptions about how the system works (#7057), and more.

This issue is a little nebulous, but I believe we need to figure out where it’s necessary to specifically allow nodes to do things, design a flexible and simple underlying representation of these rights, and unify the way we express those rights in config files.

(Obviously this can’t happen until Telly, at the earliest.)