Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5351

Create AuthConfLoader hook for Puppet Server tk-authorization

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.3.0
    • Component/s: None
    • Labels:
      None

      Description

      The work in PUP-5012 provided a way for Puppet Server to register a custom Puppet::Network::AuthConfig - used to bypass the default "auth.conf" authorization checking when Puppet Server's trapperkeeper-based authorization is turned on instead. This work, however, did not provide a way to bypass the work that the Puppet::Network::AuthConfigLoader does to load up the "auth.conf". Even though the result of the loaded "auth.conf" is not used when trapperkeeper-based authorization is enabled in Puppet Server, the parsing of the "auth.conf" does lead to messages being written out to the master log as rules are processed, for example:

      2015-10-06 16:46:29,594 INFO  [puppet-server] access[/puppet/v3/environments] allowing 'method' find
      2015-10-06 16:46:29,594 INFO  [puppet-server] access[/puppet/v3/environments] allowing * access
      

      We should create a way to hook the AuthConfLoader itself such that Puppet Server can bypass the "auth.conf" file being loaded at all and not have users potentially be otherwise confused as to whether the Ruby-based "auth.conf" or trapperkeeper-based authorization is being used in Puppet Server.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                erik Erik Dasher
                Reporter:
                jeremy.barlow Jeremy Barlow
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support