Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-18

Puppet Server Support for X-Client-DN and X-Client-Verify Headers

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: SERVER 0.3.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Epic Link:
    • Story Points:
      2
    • Sprint:
      PE 2014-10-08, PE 2014-10-22

      Description

      The Rack handler in core Ruby Puppet had support for reading a couple of custom X- headers – one for client_dn and one for client_dn – to determine the client node's name for authentication purposes. See:

      https://github.com/puppetlabs/puppet/blob/master/lib/puppet/network/http/rack/rest.rb#L117

      These headers would support the ability for a "proxy" terminating SSL from the client request to forward these headers on to the Puppet Master – potentially in clear-text – so that the Master could use these values to authenticate the client in lieu of an available client certificate. The procedure for setting up the X- headers in a proxy server - specifically an Apache server - and the corresponding puppet.conf settings is covered in:

      https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html#format-of-x-client-dn-request-header

      The Puppet Server master.rb handler does not currently honor these headers. For backward compatibility, it may make sense to for these headers to be honored. Doing so would have security implications, though, in that there is no prescribed path for the Puppet Master to determine that the proxy forwarding these X- headers on to it is legitimate and acting on behalf of a legitimate client.

      This ticket is intended to cover the research and implementation work to support this feature in the Puppet Server environment.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              joe.pinsonault Joe Pinsonault
              Reporter:
              jeremy.barlow Jeremy Barlow
              QA Contact:
              Ryan Gard
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support