On Dec 20, 2007, at 4:00 PM, Ian Burrell wrote:
> What is required to allow running puppetrun as a normal user? The
> documentation implies that puppetrun has to be run as root to get
> access to the SSL certificates. What permissions need to be set to
> allow normal users (or a group of users) to perform puppetrun? Is it
> possible to create a more-public certificate that can only be used for
> puppetrun? We could use the ability to have developers kick off
> configuration runs for deploying software but would prefer not giving
> them root access.
The "right" answer is to make it easy to generate user certificates,
too, but I haven''t made any special efforts to do so.
However, it may not be necessary. You should be able to do something
like generate a cert for your email address:
sudo puppetca --generate luke@madstop.com
Then copy the cert and key to ~/.puppet/ssl in the appropriate dirs,
and finally, set the ''certname'' to your email address in
~/.puppet/
puppet.conf.
Note that I haven''t tried this, but it should actually work. Feel
free to file bugs for things that don''t work.
Note also that these will be full certs, so they''ll be allowed to
connect to your server and any listening clients. I haven''t made any
explicit effort to handle email addresses, or user-related CNs, in
authorization, so most likely, having ''allow *.madstop.com''
would
also allow luke@madstop.com, for example.
Again, I just haven''t handled any of these things. I want them to
work, I just haven''t taken time on them.
--
The real art of conversation is not only to say the right thing at the
right place but to leave unsaid the wrong thing at the tempting
moment. -- Dorothy Nevill
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com