Hi Nick, My biggest concern is that nodes can access other nodes resources stored in PuppetDB, which effectively means that parameters like passwords and other sensitive information is exposed.
I also wonder if PuppetDB has any sense of environments? What I mean, does it separate data in environments, so for example, NODE1 being in development environment can access NODE2's resources which is in production environment? Thanks, Vaidas On Friday, 26 October 2012 19:56:26 UTC+1, Nick Lewis wrote: > > On Friday, October 26, 2012 7:24:18 AM UTC-7, ak0ska wrote: > >> Hello, >> >> Is it possible to control from which nodes is it allowed to execute >> commands like "replace catalog" and "replace facts", and which nodes can >> only do queries (but no changes)? It seems like once someone could access >> the service through http or https (depending on jetty.ini settings) can do >> both. >> >> > Unfortunately, this isn't currently possible, though it's certainly > something we'd like to provide in the future. Currently the only > restriction that can be made is a whitelist of certnames which are allowed > to talk to the API, for both read and write alike. > > Until this is supported by PuppetDB itself, you could use a proxy to allow > only certain routes. > > If we were to add this feature, would it be sufficient to just have "no > access", "read access", and "read/write access" as categories, or would you > need something more granular than that (for instance, can query metrics but > not facts)? > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
