The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #7705

Overhauling authorization system internals and interface

Added by Nick Fagerlund almost 5 years ago. Updated over 3 years ago.

Status:AcceptedStart date:04/07/2011
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


When I’ve gone to document auth.conf, fileserver.conf, and now autosign.conf, I’ve run into the same pattern: I interview and get a consensus for how everyone thinks it works, I test it, and it turns out to work a: very differently, and b: non-optimally. (For example, autosign.conf is effectively useless if you’re using certnames that don’t look exactly like FQDNs.) I’m guessing I’d find something similar if I had any intention of ever documenting namespaceauth.conf.

Anyway, I now believe that the authorization code, especially the constellation of stuff surrounding and using Puppet::Network::AuthStore, is badly overcomplicated and at least partly misconceived. Issues stemming from this include the total lack of globbing or patterning in auth.conf (#5777 and #5966), auth.conf being useless for certain valid certnames (#7014, #7589) and otherwise basically assuming certname = DNS name, file parsing errors (#5010), behavior that appears based on misconceptions about how the system works (#7057), and more.

This issue is a little nebulous, but I believe we need to figure out where it’s necessary to specifically allow nodes to do things, design a flexible and simple underlying representation of these rights, and unify the way we express those rights in config files.

(Obviously this can’t happen until Telly, at the earliest.)


Bug #7057: Insertion of default ACLs can be blocked by unrelated ACL...Accepted

Bug #7589: auth.conf and FQDNs ending in a dotNeeds More InformationJohn Morton

Bug #7014: certnames with @ symbols don't pass through auth.confAccepted

Related issues

Related to Puppet - Feature #4388: Remove the namespaceauth.conf file Closed 07/28/2010
Related to Puppet - Bug #16667: Misleading error message "Not authorized to call find" af... Investigating 10/01/2012


#1 Updated by James Turnbull over 4 years ago

  • Category set to security
  • Target version set to 3.x

#2 Updated by Patrick Carlisle almost 4 years ago

  • Assignee changed from Nigel Kersten to eric sorenson

#3 Updated by eric sorenson almost 4 years ago

  • Status changed from Needs Decision to Accepted

I’d like to slatefileserver.conf and namespaceauth.conf for deprecation warnings in 3.x, removal in 4.x.

auth.conf needs to stay, but requires some rework which should be in 3.x.

#4 Updated by Nigel Kersten almost 4 years ago

It would be nice to have the simpler syntax and semantics of fileserver.conf expressed in whatever our replacement is.

It’s a little bit fiddly to manage access to static mounts in auth.conf.

#5 Updated by eric sorenson almost 4 years ago

  • Keywords set to telly_deprecation

#6 Updated by Anonymous almost 4 years ago

  • Status changed from Accepted to Merged - Pending Release
  • Branch set to

#7 Updated by Anonymous over 3 years ago

  • Target version changed from 3.x to 3.0.0

#8 Updated by Patrick Carlisle over 3 years ago

I think this is not really the right ticket for those commits, since this is an umbrella that tracks some other issues we didn’t address. It’s a bit after the fact but maybe we should just make a new one to put it there.

#9 Updated by Moses Mendoza over 3 years ago

The commits were released in 3.0.0-rc4. Did another ticket get made for them, or can this be closed?

#10 Updated by Anonymous over 3 years ago

  • Status changed from Merged - Pending Release to Accepted
  • Assignee deleted (eric sorenson)
  • Target version deleted (3.0.0)


As Patrick mentioned, this ticket is an “umbrella” ticket that describes the need to re-design our authentication system.

The commits and merges related to this ticker probably should have been related to some other, more specific ticket.

Let’s keep this ticket open and accepted and targeting a future version of Puppet with the intent of improving the user facing design of the authorization system.

Also available in: Atom PDF