I wanted to expose the PuppetDB query API to developers but without exposing too
much information (for example file contents that could contain passwords etc.).
So I''ve created a small filtering proxy for it using apache and
mod_ext_filter. It will allow any queries through but filter out the parameters
on classes and resources in the replies. So you can still query for hosts
matching certain criteria but without exposing every hosts entire configuration.
I''ve seen some people on the #puppet IRC channel that has wanted
something similar, so I thought I should describe it here.
It uses apache2, mod_ext_filter and mod_proxy_http, so activate them.
Put this filter in /usr/local/bin/puppetdb-resource-filter
----
#!/usr/bin/ruby
require ''json''
out = JSON.parse($stdin.read).each do |item|
item[''parameters''] = {}
end
puts JSON.generate(out)
----
And add a apache config containing this (and modify to use HTTPS, password
auth/ssl cert auth or whatever you want in it):
----
ExtFilterDefine puppetdb-strip-resource-params mode=output \
intype=application/json outtype=application/json \
cmd="/usr/local/bin/puppetdb-resource-filter"
<VirtualHost *:80>
<Proxy *>
Order Allow,Deny
Allow from all
</Proxy>
ProxyPreserveHost On
<Location "/">
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/
</Location>
# Filter this endpoint
<Location "/resources">
SetOutputFilter puppetdb-strip-resource-params
</Location>
# Deny access to this endpoint
<Location "/commands">
Deny from all
</Location>
</VirtualHost>
----
--
Erik Dalén
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.