Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5012

Add feature flag to disable authconfig

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.3.0
    • Component/s: None
    • Labels:
      None

      Description

      In support of SERVER-111, a feature flag needs to be added to core Puppet that will disable all of the internal authconfig, aka auth.conf, behavior. This is necessary to allow the tk-authorization service to handle authentication and authorization without conflicting with Puppet's authorization system.

      A trivial proof of concept for this feature flag is available at:

      diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
      index b4165a7..db059fa 100644
      --- a/lib/puppet/defaults.rb
      +++ b/lib/puppet/defaults.rb
      @@ -1180,7 +1180,16 @@ EOT
             :desc       => "Whether to only search for the complete
                   hostname as it is in the certificate when searching for node information
                   in the catalogs.",
      -    }
      +    },
      +    :bypass_authorization => {
      +      :type    => :boolean,
      +      :default => false,
      +      :desc    => "If false perform authorization checks using auth.conf rules.
      +      If true, bypass authorization checks entirely.  Authorization should be
      +      handled externally, e.g. using trapperkeeper-authorization.  Note, this
      +      setting does not affect authentication behaviors, it only affects
      +      authorization.",
      +    },
         )
       
         define_settings(:device,
      diff --git a/lib/puppet/network/authconfig.rb b/lib/puppet/network/authconfig.rb
      index 9f30a44..dae9e13 100644
      --- a/lib/puppet/network/authconfig.rb
      +++ b/lib/puppet/network/authconfig.rb
      @@ -78,6 +78,12 @@ module Puppet
           # raise an Puppet::Network::AuthorizedError if the request
           # is denied.
           def check_authorization(method, path, params)
      +      if Puppet.settings[:bypass_authorization] == true
      +        Puppet.debug "Bypassing authorization check for call " +
      +          "#{method} on #{path} because bypass_authorization is true"
      +        return
      +      end
      +
             if authorization_failure_exception = @rights.is_request_forbidden_and_why?(method, path, params)
               Puppet.warning("Denying access: #{authorization_failure_exception}")
               raise authorization_failure_exception
      @@ -86,7 +92,13 @@ module Puppet
       
           def initialize(rights=nil)
             @rights = rights || Puppet::Network::Rights.new
      -      insert_default_acl
      +
      +      if Puppet.settings[:bypass_authorization] == true
      +        Puppet.info("Bypassing insertion of default ACL because " +
      +                        "bypass_authorization is true")
      +      else
      +        insert_default_acl
      +      end
           end
         end
       end
      

      This feature flag will be toggled by Puppet Server, which itself will have a feature flag exposed to the end user in the normal puppetserver configuration files. If authorization for jruby-puppet endpoints is turned on in puppetserver then it should be turned off in jruby-puppet, and vice-versa.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nwolfe Nate Wolfe
              Reporter:
              jeff Jeff McCune
              QA Contact:
              Erik Dasher
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support