Ask Your Question

Node and class imports are DANGEROUS. Best way to mitigate?

asked 2014-01-29 12:17:59 -0600

James R gravatar image

We store our Puppet server configuration (the classes, node definitions, and modules) in a Subversion repository on our Puppet master, and use a Subversion post-commit hook to update the Puppet master configuration whenever anyone commits a change.

Because Subversion has per-directory ACLs, this is tremendously convenient for delegating access to the classes, node definitions, and modules. For example, by granting the owner of a host read/write access to the directory of his host's node definition in the Subversion repository, he can exactly control the Puppet configuration of his host, without any intervention from us.

However, we recently realized ... (more)

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2014-01-29 16:10:43 -0600

ramindk gravatar image

updated 2014-01-29 16:14:51 -0600

No there isn't a better way and everyone uses wrapper classes. In fact the Role/Profile design which is what you're already moving towards is currently considered state of the art in Puppet and recommended by Puppetlabs.

I believe that the advice in the style guide refers to modules like Apache, ssh, etc. Your modules should be self contained and not include other modules. Wrapper classes, role/profile, or whatever nomenclature you'd like to use are strictly organizational structures that should be organization specific. In my opinion that makes them fall outside of the area the style ... (more)

edit flag offensive delete link more

answered 2014-01-29 16:51:15 -0600

Ancillas gravatar image

Could you separate your business units using Puppet environments? At least this way team A could only self-destruct team A's servers.

From a security standpoint, folks either have root access, or they don't. If they don't have root access, they shouldn't be able to deploy to the Puppet master. If they do have root access, then they could already run rm -rf.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2014-01-29 12:17:59 -0600

Seen: 83 times

Last updated: Jan 29 '14