On Jul 6, 2012, at 1:40 AM, DEGREMONT Aurelien wrote: > Le 05/07/2012 19:00, Daniel Pittman a écrit : >> >> That would ... probably not show a lot of short-term performance gain >> for you. The static compiler, >> > We tested (and proposed some fixes (pull request #769)) and that looks > interesting but static compiler as some bad side effect which are removing > some nice aspect of Puppet. > > We like that Puppet, through fileserver, can filter file access based on the > certificate information. We use it to strictly prevent client to access files > they should not. > With static compiler, puppet agent is now accessing file through the > filebucket which does not have such separation. Any client can access all > files in the filebucket we cannot filter this. > It could be nice if static compiler can insert file metadata checksum the > catalog as it already does to reduce agent/master traffic but still keep a > file source that agent can use to retrieve file from the fileserver when > needed.
It's not perfect, but one could argue the static compiler is inherently more secure than normal file management, and with less configuration, and certainly less configuration maintenance. In order to retrieve a file from a filebucket, you must first know the checksum of that file's content, and to know that, you must (generally) know the actual content. Thus, the checksum functions as a password to access the file content, and it's configured completely automatically, with no human input. It's obviously not perfect, because of logs and things, but it's pretty darn good. -- Luke Kanies | http://about.me/lak | http://puppetlabs.com/ | +1-615-594-8199 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
