Sonal Singhal
2013-Mar-12 09:47 UTC
[Puppet Users] Issue with Mcollective on puppet master and agent
Hello guys,
I have installed Mcollective server on puppet agent and
Mcollective client and ActiveMQ on puppet master and they are working fine.
I m able to ping mcollective servers from mcollective client using* mco ping
*. But i have one query:
=> Since we use same username and password for stomp on each mcollcetive
client(client.cfg) and same username n password is used on mcollective
server(server.cfg), So there is no security. If we install mcollective
server on any client(on puppet agent) and use same username
password(Stomp), So we can run all mco commands from that node also. So i
want secure mechanism so that username and password should not be shared.
What can i do for it?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
R.I.Pienaar
2013-Mar-12 09:57 UTC
Re: [Puppet Users] Issue with Mcollective on puppet master and agent
----- Original Message -----> From: "Sonal Singhal" <snlsinghal.9@gmail.com> > To: puppet-users@googlegroups.com > Sent: Tuesday, March 12, 2013 9:47:41 AM > Subject: [Puppet Users] Issue with Mcollective on puppet master and agent > > Hello guys, > I have installed Mcollective server on puppet agent and > Mcollective client and ActiveMQ on puppet master and they are working fine. > I m able to ping mcollective servers from mcollective client using* mco ping > *. But i have one query: > > => Since we use same username and password for stomp on each mcollcetive > client(client.cfg) and same username n password is used on mcollective > server(server.cfg), So there is no security. If we install mcollective > server on any client(on puppet agent) and use same username > password(Stomp), So we can run all mco commands from that node also. So i > want secure mechanism so that username and password should not be shared. > What can i do for it?to achieve security you need to configure one of the mcollective security plugins - by default its using a pre shared key system which is not very secure. I''d recommend looking at the security overview doc which will give you a overview http://docs.puppetlabs.com/mcollective/security.html And then looking at deploying the following combination: * Stomp with verified TLS to activemq * The MCollective SSL security plugin[1] * Authorization plugin[2] to limit what actions users can perform * Set up auditing[3] to get logs of actions that were taken by who perhaps using logstash and our plugin[4] [1] http://docs.puppetlabs.com/mcollective/reference/plugins/security_ssl.html [2] http://docs.puppetlabs.com/mcollective/simplerpc/authorization.html [3] http://docs.puppetlabs.com/mcollective/simplerpc/auditing.html [4] https://github.com/puppetlabs/mcollective-logstash-audit#readme -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.