Wildcard settings entries

OlliesDad · July 5, 2013, 12:40pm

Hello,

Appreciate this may go against the grain of this but we have a case where
systems will upload facts into Foreman indivdually rather than through a
puppet master server
using Net::HTTP::Post.new("/fact_values/create?format=yml")

So if there anyway to wildcard the :trusted_puppetmaster_hosts: setting to
allow this ?

Thanks
Paul

Dominic_Cleal1 · July 5, 2013, 1:15pm

Hi Paul,

> Hello,
>
> Appreciate this may go against the grain of this but we have a case
> where systems will upload facts into Foreman indivdually rather than
> through a puppet master server
> using Net::HTTP::Post.new("/fact_values/create?format=yml")
>
> So if there anyway to wildcard the :trusted_puppetmaster_hosts: setting
> to allow this ?

Disabling these two settings should open it up globally:

require_ssl_puppetmasters
restrict_registered_puppetmasters

However these settings will permit arbitrary YAML upload into the
application which can be exploited, so I wouldn't recommend it generally
unless you're on a trusted network. The ENC YAML output will also be
accessible to any host, which can leak information, including root
password hashes (those used for provisioning).

There's some documentation about these settings here:
http://theforeman.org/manuals/1.2/index.html#5.4.1SecuringPuppetMasterRequests

Two alternative ideas for you:

a) if you can get fact files to one location, the ENC script has a
–push-facts option that can push all files from one directory.

b) you could disable Foreman's authorisation settings as above, but then
use Apache (assuming you run Foreman under Passenger) instead, as its
access controls are more flexible. For example:

<Location ~ "/(fact_values|reports)/create">
Order Deny,Allow
Deny from all
Allow from puppetmaster.example.net
</Location>

In 1.3 we hope to replace the use of YAML for reports and fact imports
with something simpler, which would make it a little safer to leave open.

···

On 05/07/13 13:40, OlliesDad@googlemail.com wrote:

–
Dominic Cleal
Red Hat Engineering

OlliesDad · July 5, 2013, 1:25pm

Thanks Dominic, that works.

This is for a mild edge case where we want a separate instance of Foreman
for a specific group for reporting only with :-

puppet agent -t --no-daemonize --report_server=<server> --noop

And a facter -y -> foreman upload.

As it's on a controlled network it's fine. Will close it as much as I can
in the meantime.

Cheers
Paul