Ask Your Question
2

disable api access puppetdb

asked 2013-12-03 09:34:56 -0500

Luke gravatar image

Hello,

I want to make puppetdb more secure. Currently have it locked down so that only localhost can communicate using http however other hosts can communicate to the api using ssl / curl. The problem I have with this is if a server somehow got compromised someone could use that server to query puppetdb to pull information out on all the other servers using the ssl api ( http://docs.puppetlabs.com/puppetdb/latest/api/query/curl.html ). Is their anyway to lockdown the api querying using curl etc while still allowing the box to work with puppet/puppetdb? Or can I ... (more)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2013-12-03 10:30:17 -0500

You probably want to lock down the SSL access to only be accepted from your Puppet Masters. This can be achieved by specifying a certificate whitelist file in your jetty.ini:

certificate-whitelist = /etc/puppetdb/whitelist.txt

And listing the certificate names of the accepted SSL clients in the file, one per line.

See here for more details:

http://docs.puppetlabs.com/puppetdb/1.5/configure.html#certificate-whitelist

edit flag offensive delete link more

Comments

Thanks I am going to test this. Will they still be able to communicate with the puppetdb using the puppet client? I just want to prevent them from querying it ...(more)

Luke gravatar imageLuke ( 2013-12-05 09:55:01 -0500 )edit

If the communication goes via the master yes, directly no.

ken gravatar imageken ( 2013-12-05 10:28:43 -0500 )edit

Works perfectly thank you

Luke gravatar imageLuke ( 2013-12-09 14:23:44 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-12-03 09:34:56 -0500

Seen: 151 times

Last updated: Dec 03 '13