It depends on two things: your CA and the content of auth.conf. If you have one CA signing all your certificates, then every host can validate the cert on every master. If that's the case, then any host with the correct permissions in auth.conf can issue the puppet kick command. If you have different CAs, then the auth.conf can only (successfully) authorize hosts signed with the same CA.
On Fri, Apr 22, 2011 at 12:51 PM, Arm Adam <arm.adam.gro...@gmail.com>wrote: > Posting here as well as on the developers group (they suggested that I > repost here). > > How does puppet kick work in a scenario where a puppet master is > managing puppet masters who manage puppet masters who manage agents? > Do I have to kick from the immediate Master of the agent I want to > kick? Do I first have to wait for a deployed module at the top level > puppet master to trickle down to agent's immediate puppet master or > will a puppet master look upstream if it doesn't have a module that an > agent is configured to receive (via LDAP)? > > Pardon the below ASCII art (hopefully it comes through), but take a > look to see what I mean. PM = Puppet Master. PA = Puppet Agent. > > PM > / \ > PM PM > / \ / \ > PM PM PM > / \ / \ / \ > PA PA PA PA PA > > Thanks! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
