On Fri, 2007-07-27 at 18:15 -0700, David Lutterkort wrote: > On Thu, 2007-07-26 at 16:01 -0500, Jeffrey C. Ollie wrote: > > [15:30] mmcgrath: the problem is opening up access but still keeping some of the passwords/keys secure. > > [15:30] mmcgrath: like the web guys don't need access to the buildserver keys. > > [15:30] mmcgrath: and the build guys don't need the fedoraproject.org ssl key. > > [15:30] mmcgrath: that sort of thing > > Not sure if you guys know that or not (or if that applies to what you > guys discussed): puppet lets you define filserver modules that are per > node by putting something like > > [private] > path /some/path/%h > allow allow 10.8.34.0/24 > > in your fileserver.conf [1] for sensitive per-node data. The problem isn't client-side - the problem is giving people limited access to modify the puppet manifests and the puppet file server. I haven't yet thought of a good way to do that - we may just need to take a "trust but verify" style approach. That however might mean that we can't open up access as widely as we'd like. Jeff
Attachment:
signature.asc
Description: This is a digitally signed message part
