Hello all, Is it possible at the moment to set up access control for Puppet Dashboard? As of now anyone within our organization will have full access to the dashboard. I thought I''d set up regular Apache access control, but this will probably not work well with dashboard as an external node tool. I found http://projects.puppetlabs.com/issues/3459 which suggest running dashboard unsecurily on localhost, but I''m hoping that there are other ways. Best regards, Kenneth -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, 14 Sep 2010 08:19:24 +0200, Kenneth Holter wrote:> > Hello all, > > > Is it possible at the moment to set up access control for Puppet Dashboard? > As of now anyone within our organization will have full access to the > dashboard. I thought I''d set up regular Apache access control, but this will > probably not work well with dashboard as an external node tool. I found > http://projects.puppetlabs.com/issues/3459 which suggest running dashboard > unsecurily on localhost, but I''m hoping that there are other ways. > > Best regards, > Kenneth >Currently, the Dashboard doesn''t have any built-in authentication, or authorization (this isn''t _quite_ true, but it''s close enough to make no difference). There is a ticket generally about this[1], but (as far as I''m aware) it''s a bit hand-wavey, since there hasn''t been much speced out (but, again, I could be wrong about this). If you know what granularity of access-control you''d like/need/actually-use, I''d love to hear what that is (especially if you would be kind enough to take some time to comment in the ticket I mentioned earlier). As far as getting access control right now, it''s pretty much what you mentioned: Putting Dashboard behind something like Apache access controls. You should still be able to use the dashboard as an external node tool, but I''d imagine that you''d either need to allow public access to GET at http://dashboard-host/nodes/* (specifically for requests accepting ''text/yaml''), or modify the external_node script to pass along auth credentials. I haven''t actually done this myself, so I''d love it if someone with more experience doing this could chime in. Hope this helps. [1] http://projects.puppetlabs.com/issues/4168 -- Jacob Helwig
On Tue, Sep 14, 2010 at 9:34 AM, Jacob Helwig <jacob@puppetlabs.com> wrote:> As far as getting access control right now, it''s pretty much what you > mentioned: Putting Dashboard behind something like Apache access > controls. You should still be able to use the dashboard as an external > node tool, but I''d imagine that you''d either need to allow public access > to GET at http://dashboard-host/nodes/* (specifically for requests > accepting ''text/yaml''), or modify the external_node script to pass along > auth credentials. I haven''t actually done this myself, so I''d love it > if someone with more experience doing this could chime in. >Teyo has written an external nodes classifier script using existing certificates to secure puppet master access to dashboard: http://projects.puppetlabs.com/issues/4688 This should allow: SSLVerifyClient optional SSLOption +FakeBasicAuth Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.