Thanks Michael! I understand the inter-node security. I'm trying to answer our internal security folks about how execution of mco commands is restricted on a (authorized) node to root or authorized users. It appeared to me that this was accomplished by having the config files be 600.
On Tue, Jun 21, 2016 at 3:25 PM, Michael Smith <[email protected]> wrote: > There is a section of PE docs that talks about MCollective security as > setup by PE ( > https://docs.puppet.com/pe/latest/orchestration_overview.html#security), > as well as points to security notes in the OSS MCollective docs. > > In short, having the contents of the config files is sufficient to connect > to ActiveMQ, but when using the SSL-based security module requests should > only be honored by the end-points (MCollective servers) when they also have > certificates for the sender in a configured location. > > On Tue, Jun 21, 2016 at 1:22 PM, Shawn Ferry <[email protected]> > wrote: > >> And for everyone who is wondering what bugs; I'm unintentionally cross >> posting so that's really just for Geoffery >> >> On Jun 21, 2016, at 16:20, Shawn Ferry <[email protected]> wrote: >> >> Did you see the recent spate of mcollective bugs that were just filed? >> >> On of them does talk a about file perms iirc >> >> Shawn >> >> On Jun 21, 2016, at 16:06, Geoffrey Gardella <[email protected]> wrote: >> >> Hi All, >> working on our port of MCollective into Solaris. I wanted to confirm that >> we rely on the permissions of server.cfg and client.cfg being 600 to keep >> non-root users from executing commands with MCollective. That is, if those >> files are say, 644, then any user on the system can run any MCollective >> command. Are other (role-based restrictions) there in the Linux world. >> Trying to find docs, but coming up empty. >> >> Thanks, >> Geoffrey >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/6286c707-c1cb-4741-a49b-5e5b2b6400d9%40googlegroups.com >> <https://groups.google.com/d/msgid/puppet-dev/6286c707-c1cb-4741-a49b-5e5b2b6400d9%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/2CB40F73-2E41-49E5-8C60-6941AD35B3F4%40oracle.com >> <https://groups.google.com/d/msgid/puppet-dev/2CB40F73-2E41-49E5-8C60-6941AD35B3F4%40oracle.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-dev/7Jrr0fG8wWY/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/CABy1mMK%3D8ySB_HFsoVbXykgyymm4KkqjoPuQ4Qv%3DpBe9HyxkJw%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-dev/CABy1mMK%3D8ySB_HFsoVbXykgyymm4KkqjoPuQ4Qv%3DpBe9HyxkJw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAPA9Ot8iX2Uz4MyhB-rKFKeRQXbQ7KCAz3fcOD8y%2BsTSTy192g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
