Can any puppet agent get any puppet file from the master?

Question

My Puppet master contains some sensitive files. I want each puppet agent to be able to access only those files that are of interest to that specific agent. In other words:

• Does the puppet agent run its catalog, and then, whenever it encounters a "file" or "template" function or a "source => 'puppet:///...'" parameter, asks the master to provide it with the specified file, and the master just provides it without checking? This would be bad. If an agent got compromised, it could ask the master for any file on the master, even files which are intended only for other agents.
• Or does the master somehow check that the agent's catalog really authorizes that particular agent to get that particular file?

I don't know if it matters, but I'm running passenger (and all my agents & master are 2.7.6 from squeeze-backports).

Answer 1

The documentation for the Puppet File Server should be able to cover most of what you are asking. In particular see the security section.

First a note. If you have autosign enabled, then pretty much any security offered is moot. You should verify each certificate. Since security settings you configure will be based on the hostname/certname or a regex match them, having autosign enabled would potentially mean that any un-trusted system could simple request a cert for a name that matched a pattern that had access to secret files.

By default anything in the special plugins and modules fileserver mounts are avialable to any client. But this can be controlled to a certain extent through the configuration.

You can also setup custom 'mounts' that point to specific locations. An example is provided in the documentation about how to create a [private] mount for distributing private SSH keys. The host name is used as part of the mount path, so a given host can only see files that belong to it.

Answer 2

I don't have any hard data on this. However, from what I've read here and there, it is my feeling that any agent can get any file from the master if that file is inside the Puppet file server tree and the Puppet file server's configuration allows the agent to access the tree. It is also my feeling that the file(), template() and extlookup() functions are executed on the master as it compiles the agent's configuration, before it sends it to the agent.

Therefore, it should be reasonably secure to store sensitive files outside the Puppet file server tree, and use file() to access them. This way, they should only be accessible by the agent they are intended for.

Answer 3

'If you don't want to store important files on a puppet server, what do you suggest instead?`

I guess, puppet librarian maybe able to help in this instance .. whereby one creates a puppetfile specific to a client and applies it to a client on demand (perhaps even without a puppet master).

So, a typical scenario could be to ssh into the box, grab a puppetfile from a known safe remote or local location and use that to install all dependent modules (and or config files) before triggering a manual puppet run .. I suppose you can easily automate that set of tasks with capistrano or similar tools.

Answer 4

As long as that file is only defined in one 'node' you should be fine, another 'node' can't request that file because for him, it doesn't exist.

However, it's generally not a good idea to store 'protected' files on a puppet server.

Hope this helps!