Also by ensuring the client private key has similar permissions. plugin.ssl_client_private in client.cfg if 'securityprovider = ssl' is set. Possibly also plugin.activemq.pool.1.ssl.key.
The other certificates should not be writable by non-authorized users as well. On Tue, Jun 21, 2016 at 2:42 PM, Geoffrey Gardella <[email protected]> wrote: > Thanks Michael! > I understand the inter-node security. I'm trying to answer our internal > security folks about how execution of mco commands is restricted on a > (authorized) node to root or authorized users. It appeared to me that this > was accomplished by having the config files be 600. > > On Tue, Jun 21, 2016 at 3:25 PM, Michael Smith <[email protected]> > wrote: > >> There is a section of PE docs that talks about MCollective security as >> setup by PE ( >> https://docs.puppet.com/pe/latest/orchestration_overview.html#security), >> as well as points to security notes in the OSS MCollective docs. >> >> In short, having the contents of the config files is sufficient to >> connect to ActiveMQ, but when using the SSL-based security module requests >> should only be honored by the end-points (MCollective servers) when they >> also have certificates for the sender in a configured location. >> >> On Tue, Jun 21, 2016 at 1:22 PM, Shawn Ferry <[email protected]> >> wrote: >> >>> And for everyone who is wondering what bugs; I'm unintentionally cross >>> posting so that's really just for Geoffery >>> >>> On Jun 21, 2016, at 16:20, Shawn Ferry <[email protected]> wrote: >>> >>> Did you see the recent spate of mcollective bugs that were just filed? >>> >>> On of them does talk a about file perms iirc >>> >>> Shawn >>> >>> On Jun 21, 2016, at 16:06, Geoffrey Gardella <[email protected]> wrote: >>> >>> Hi All, >>> working on our port of MCollective into Solaris. I wanted to confirm >>> that we rely on the permissions of server.cfg and client.cfg being 600 to >>> keep non-root users from executing commands with MCollective. That is, if >>> those files are say, 644, then any user on the system can run any >>> MCollective command. Are other (role-based restrictions) there in the Linux >>> world. Trying to find docs, but coming up empty. >>> >>> Thanks, >>> Geoffrey >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-dev/6286c707-c1cb-4741-a49b-5e5b2b6400d9%40googlegroups.com >>> <https://groups.google.com/d/msgid/puppet-dev/6286c707-c1cb-4741-a49b-5e5b2b6400d9%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Developers" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/puppet-dev/2CB40F73-2E41-49E5-8C60-6941AD35B3F4%40oracle.com >>> <https://groups.google.com/d/msgid/puppet-dev/2CB40F73-2E41-49E5-8C60-6941AD35B3F4%40oracle.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Puppet Developers" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/puppet-dev/7Jrr0fG8wWY/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/CABy1mMK%3D8ySB_HFsoVbXykgyymm4KkqjoPuQ4Qv%3DpBe9HyxkJw%40mail.gmail.com >> <https://groups.google.com/d/msgid/puppet-dev/CABy1mMK%3D8ySB_HFsoVbXykgyymm4KkqjoPuQ4Qv%3DpBe9HyxkJw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/CAPA9Ot8iX2Uz4MyhB-rKFKeRQXbQ7KCAz3fcOD8y%2BsTSTy192g%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-dev/CAPA9Ot8iX2Uz4MyhB-rKFKeRQXbQ7KCAz3fcOD8y%2BsTSTy192g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CABy1mM%2B3tEiX9OhwsY%2Binw_nRZBhBMoMWhoO%3D57HnTfSpcngPA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
