Hi, This might be a silly question but if I have a fileserver configured like this: [files] path = /etc/puppet/files allow * Does that mean: 1. Anybody in the world (who can reach my puppet master) can view/pull files? 2. Only the clients who''ve been signed via the "puppetca --sign" process can view/pull files? I did read the page on file security here, but it wasn''t definitive for me: http://reductivelabs.com/trac/puppet/wiki/FileServingConfiguration Simon -- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Strange wrote:> Hi, > > This might be a silly question but if I have a fileserver configured like this: > > [files] > path = /etc/puppet/files > allow * > > Does that mean: > > 1. Anybody in the world (who can reach my puppet master) can view/pull files? > > 2. Only the clients who''ve been signed via the "puppetca --sign" > process can view/pull files?There are two layers of granularity: 1. Only clients authenticated via certificate can connect. 2. Only clients which are authenticated AND specifically allowed access to the file server mount can retrieve files. Regards James Turnbull - -- Author of: * Pro Linux Systems Administration (http://tinyurl.com/linuxadmin) * Pulling Strings with Puppet (http://tinyurl.com/pupbook) * Pro Nagios 2.0 (http://tinyurl.com/pronagios) * Hardening Linux (http://tinyurl.com/hardeninglinux) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFKf0PZ9hTGvAxC30ARAi5FAJwPRcFUeMH2H0UGyo4oEbhc2r+uuQCfSF3i i9zzEBw8TIMZSjGatCjsuTI=63lk -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
One thing to add to this - if you have set autosign.conf to autosign anything then it is possible for a remote client to get a certificate remotely then retrieve files... Of course this will take a few requests, but its possible... Greg On Aug 10, 7:47 am, James Turnbull <ja...@lovedthanlost.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Simon Strange wrote: > > Hi, > > > This might be a silly question but if I have a fileserver configured like this: > > > [files] > > path = /etc/puppet/files > > allow * > > > Does that mean: > > > 1. Anybody in the world (who can reach my puppet master) can view/pull files? > > > 2. Only the clients who''ve been signed via the "puppetca --sign" > > process can view/pull files? > > There are two layers of granularity: > > 1. Only clients authenticated via certificate can connect. > 2. Only clients which are authenticated AND specifically allowed > access to the file server mount can retrieve files. > > Regards > > James Turnbull > > - -- > Author of: > * Pro Linux Systems Administration > (http://tinyurl.com/linuxadmin) > * Pulling Strings with Puppet > (http://tinyurl.com/pupbook) > * Pro Nagios 2.0 > (http://tinyurl.com/pronagios) > * Hardening Linux > (http://tinyurl.com/hardeninglinux) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (Darwin) > Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/ > > iD8DBQFKf0PZ9hTGvAxC30ARAi5FAJwPRcFUeMH2H0UGyo4oEbhc2r+uuQCfSF3i > i9zzEBw8TIMZSjGatCjsuTI> =63lk > -----END PGP SIGNATURE-------~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---