Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2817

default webserver.conf client-auth value of "want" is not the system default, which is "need"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Incomplete
    • Affects Version/s: SERVER 6.11.1
    • Fix Version/s: None
    • Component/s: Puppet Server
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Server Version: 6.11.1
      OS Name/Version: Debian GNU/Linux 10 (buster)

      The default value for the webserver's client-auth setting is need: https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/src/puppetlabs/trapperkeeper/services/webserver/jetty9_config.clj#L75 (documentation)

      But the default /etc/puppetlabs/puppetserver/conf.d/webserver.conf, that comes with the Debian package from apt.puppetlabs.com at least, has client-auth: want. This seems wrong, and less secure than it should be. Typically I would expect explicitly-configured settings in default configuration files to match built-in defaults, meaning you could remove the default config file and nothing would change.

      Also, an example in the documentation has a comment that seems to imply that the default should be need (or maybe that's what it used to be); see DOCUMENT-1114.

      The default webserver.conf seems to be here: https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/webserver.conf

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              kenyon Kenyon Ralph
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support