On Wed, Sep 19, 2012 at 7:36 AM, jcbollinger <john.bollin...@stjude.org> wrote: > > > On Tuesday, September 18, 2012 1:36:53 PM UTC-5, Philip Brown wrote: >>... >> ... > > I think that's just fine. Though no one would know from the responses you > received before, I think some people do pretty much what you're describing.
Thanks for the reply then :) ... > Note, however, that there are security implications to using facts instead > of node identities to classify nodes. Node declarations are matched to > client SSL certnames, and it is only a convention that these are normally > the same as the hostname. This sounds like an oversight in puppet design. Seems like there would be a benefit for some kind of verification flag somewhere, either as a "facter", or an optional class, or something, for ensure => signed_hostname if you see what I mean. and/or allow an additional, server-side "fact", that matches based on the cert the client connects with, rather than $hostname. $certname ? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
