The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:
Overhauling authorization system internals and interface
|Affected Puppet version:||Branch:||https://github.com/puppetlabs/puppet/pull/991|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
When I’ve gone to document auth.conf, fileserver.conf, and now autosign.conf, I’ve run into the same pattern: I interview and get a consensus for how everyone thinks it works, I test it, and it turns out to work a: very differently, and b: non-optimally. (For example, autosign.conf is effectively useless if you’re using certnames that don’t look exactly like FQDNs.) I’m guessing I’d find something similar if I had any intention of ever documenting namespaceauth.conf.
Anyway, I now believe that the authorization code, especially the constellation of stuff surrounding and using Puppet::Network::AuthStore, is badly overcomplicated and at least partly misconceived. Issues stemming from this include the total lack of globbing or patterning in auth.conf (#5777 and #5966), auth.conf being useless for certain valid certnames (#7014, #7589) and otherwise basically assuming certname = DNS name, file parsing errors (#5010), behavior that appears based on misconceptions about how the system works (#7057), and more.
This issue is a little nebulous, but I believe we need to figure out where it’s necessary to specifically allow nodes to do things, design a flexible and simple underlying representation of these rights, and unify the way we express those rights in config files.
(Obviously this can’t happen until Telly, at the earliest.)
#6 Updated by Anonymous almost 4 years ago
- Status changed from Accepted to Merged - Pending Release
- Branch set to https://github.com/puppetlabs/puppet/pull/991
Merged into 3.x¶
Merged into master¶
#10 Updated by Anonymous over 3 years ago
- Status changed from Merged - Pending Release to Accepted
- Assignee deleted (
- Target version deleted (
As Patrick mentioned, this ticket is an “umbrella” ticket that describes the need to re-design our authentication system.
The commits and merges related to this ticker probably should have been related to some other, more specific ticket.
Let’s keep this ticket open and accepted and targeting a future version of Puppet with the intent of improving the user facing design of the authorization system.