The work in
PUP-5012 provided a way for Puppet Server to register a custom Puppet::Network::AuthConfig - used to bypass the default "auth.conf" authorization checking when Puppet Server's trapperkeeper-based authorization is turned on instead. This work, however, did not provide a way to bypass the work that the Puppet::Network::AuthConfigLoader does to load up the "auth.conf". Even though the result of the loaded "auth.conf" is not used when trapperkeeper-based authorization is enabled in Puppet Server, the parsing of the "auth.conf" does lead to messages being written out to the master log as rules are processed, for example:
We should create a way to hook the AuthConfLoader itself such that Puppet Server can bypass the "auth.conf" file being loaded at all and not have users potentially be otherwise confused as to whether the Ruby-based "auth.conf" or trapperkeeper-based authorization is being used in Puppet Server.