Hello, We are actually evaluating "Puppet Open Source Project" as the tool for managing our hosting processes and we have a question about the security in Puppet.
As far as we have read, there are only two places where the security is taken into account: - the connection between the server and the client (using certificates) http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security - the access to the Puppet Dashboard (using Http basic authentication for exemple) http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html Could you tell us if there are other aspects of security in puppet that we have not seen please ? Our first need is to have security on the following main features: - add / edit / delete Manifests on the Puppet Master - add / edit / delete Nodes on the Puppet Master - add / edit / delete bindings between Manifests and Nodes on the Puppet Master The only way we can think about for the moment in order to meet this security needs is to: 1) Have all the configuration of the Puppet Master stored in Subversion 2) Define a fine-grained security on the subversion 3) Prevents all access to the Puppet master by ssh in order to prevent manual file changes on the Puppet Master 4) regularly update the configuration files of puppet from the subversion So the whole security would be implemented on subversion, for exemple: - a user who is not allowed to commit in the subversion, is not allowed to change any configuration. - a user can be allowed to change the manifests, but won't be allowed to change the binding between manifests and nodes - there will be a branch for each environment (dev, preprod, prod), so only specific users will be allowed to change prod manifest, nodes and bindings. - etc. Is it a good solution ? Is there a better solution in order to restrict access as described below please ? Thanks in advance for your answers Best regards, Christophe -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
