My Puppet master contains some sensitive files. I want each puppet agent to be able to access only those files that are of interest to that specific agent. In other words:
- Does the puppet agent run its catalog, and then, whenever it encounters a "file" or "template" function or a "source => 'puppet:///…'" parameter, asks the master to provide it with the specified file, and the master just provides it without checking? This would be bad. If an agent got compromised, it could ask the master for any file on the master, even files which are intended only for other agents.
- Or does the master somehow check that the agent's catalog really authorizes that particular agent to get that particular file?
I don't know if it matters, but I'm running passenger (and all my agents & master are 2.7.6 from squeeze-backports).
Best Answer
The documentation for the Puppet File Server should be able to cover most of what you are asking. In particular see the security section.
First a note. If you have autosign enabled, then pretty much any security offered is moot. You should verify each certificate. Since security settings you configure will be based on the hostname/certname or a regex match them, having autosign enabled would potentially mean that any un-trusted system could simple request a cert for a name that matched a pattern that had access to secret files.
By default anything in the special plugins and modules fileserver mounts are avialable to any client. But this can be controlled to a certain extent through the configuration.
You can also setup custom 'mounts' that point to specific locations. An example is provided in the documentation about how to create a [private] mount for distributing private SSH keys. The host name is used as part of the mount path, so a given host can only see files that belong to it.