SlideShare ist ein Scribd-Unternehmen logo

Puppet Roles & Profiles Using Trusted Facts.

Stephen Wallace
Stephen Wallace

An overview of Puppet roles and profiles, how trusted facts work, and how to use them to classify your nodes via policy based autosigning!

Software
1 von 20
Downloaden Sie, um offline zu lesen
Roles, Profiles & Trusted Facts! Puppet Meetup, 23rd Feb 2016 Stephen Wallace https://au.linkedin.com/in/stephenwallace @stphnwallace
Who am I? Devops contractor Home brewer Connector of people (3000+)
What do I do? • Help people (companies) stay relevant in a fast moving world • Build people, which builds teams. Collaborative Economy • Help enough people get what they want…
What Are Roles & Profiles? • An area of confusion! • Role….business speak • Profile….tech stacks…think Lego • Classification….role only! • IT facilitates the business, right? • Quick peek at site.pp
How can we apply a role? • /etc/puppetlabs/facter/facts.d/BLAH • export FACTER_role=thingo • custom fact to read a file • console
Do you want this flexibility in production?! export FACTER_role=whatever
Normal vs Trusted Facts • Normal facts are self-reported by the node, and nothing guarantees their accuracy. • Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. • The variable name $trusted is reserved, so local scopes cannot re-use it. • Useful for deciding whether a given node should receive sensitive data in its catalogue.
Enabling & Using Trusted Facts $ sudo puppet config print trusted_node_data immutable_node_data --section master trusted_node_data = true immutable_node_data = true Example; if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys } (*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>]. (*) OID / name mapping can be found here - https://docs.puppetlabs.com/ puppet/latest/reference/config_file_csr_attributes.html
What Other Practical Uses? • Embed a deployment key ? • $trusted[‘extensions']['pp_role'] ?
Setting Trusted Facts • Extra data for the CSR is read from the csr_attributes.yaml file in Puppet Agent’s $confdir. • YAML hash containing one or both of the following keys: • custom_attributes • extension_requests • e.g. --- extension_requests: pp_preshared_key: banana
Checking for the CSR OIDs • cd /etc/puppetlabs/puppet/ssl/ca/requests • openssl req -noout -text -in ip-172-31-35-224.ap- southeast-2.compute.internal.pem • Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop Cool bananas? :)
Puppet Agent Workflow - Before • New agent generates certs, and submits CSR. • Puppet master / CA signs the cert, and the catalog is served. • Uses cert for auth ongoing.
Puppet Agent Workflow - After • New agent generates CSR reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR. • Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served. • Uses cert for auth ongoing, and reads trusted facts when communicating with the PM
Policy Based Autosigning • puppet config set --section master autosign /usr/ local/bin/autosign-psk.rb • Can be used for policy based autosigning • See autosign-psk.rb in appendix
Further Reading • http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/ • https://docs.puppetlabs.com/puppet/3.8/reference/ ssl_attributes_extensions.html#recommended-oids-for-extensions • https://docs.puppetlabs.com/puppet/latest/reference/ ssl_attributes_extensions.html • https://docs.puppetlabs.com/puppet/latest/reference/ config_file_csr_attributes.html • https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts
Appendix 1 - autosign-psk.rb #!/opt/puppetlabs/puppet/bin/ruby require "openssl" include OpenSSL csr = OpenSSL::X509::Request.new $stdin.read atts = csr.attributes() if atts.empty? exit 1 end key = nil atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end if key == "banana" print "Matchn" exit 0 else puts "The key in the CSR is #{key}, no match." print "No matchn" exit 1 end
Thanks! • Stephen J Wallace • whizbang.wallace@gmail.com • Follow for details of CD training event in May 2016 - @stphnwallace / @devopsdan

Empfohlen

Decoupling entity-validations from entity-forms
Decoupling entity-validations from entity-formsDecoupling entity-validations from entity-forms
Decoupling entity-validations from entity-formsKunal Kursija
 
BrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The WayBrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The WayChrisJohnson792
 
Akka Presentation Schule@synyx
Akka Presentation Schule@synyxAkka Presentation Schule@synyx
Akka Presentation Schule@synyxFlorian Hopf
 
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin DevelopmentAtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Developmentmrdon
 
Enemy of the state
Enemy of the stateEnemy of the state
Enemy of the stateMike North
 
Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016Jere Julian
 
Idea2app
Idea2appIdea2app
Idea2appFlumes
 
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_staticLincoln III
 

Empfohlen

Decoupling entity-validations from entity-forms
Decoupling entity-validations from entity-formsDecoupling entity-validations from entity-forms
Decoupling entity-validations from entity-formsKunal Kursija
 
BrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The WayBrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The WayChrisJohnson792
 
Akka Presentation Schule@synyx
Akka Presentation Schule@synyxAkka Presentation Schule@synyx
Akka Presentation Schule@synyxFlorian Hopf
 
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin DevelopmentAtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Developmentmrdon
 
Enemy of the state
Enemy of the stateEnemy of the state
Enemy of the stateMike North
 
Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016Jere Julian
 
Idea2app
Idea2appIdea2app
Idea2appFlumes
 
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_staticLincoln III
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingTal Melamed
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrJohn Allspaw
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsChris DeLashmutt
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHorea Porutiu
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)DECK36
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMOrtus Solutions, Corp
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Seeding a Tree in a Gherkin
Seeding a Tree in a GherkinSeeding a Tree in a Gherkin
Seeding a Tree in a GherkinPaul Rohorzka
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Splunk bsides
Splunk bsidesSplunk bsides
Splunk bsidesMacy Cronkrite
 
Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010pivotjoe
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins GroupSalesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Groupanimuscrm
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 

Weitere ähnliche Inhalte

Ähnlich wie Puppet Roles & Profiles Using Trusted Facts.

Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingTal Melamed
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrJohn Allspaw
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsChris DeLashmutt
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHorea Porutiu
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)DECK36
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMOrtus Solutions, Corp
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Seeding a Tree in a Gherkin
Seeding a Tree in a GherkinSeeding a Tree in a Gherkin
Seeding a Tree in a GherkinPaul Rohorzka
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010pivotjoe
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins GroupSalesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Groupanimuscrm
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 

Ähnlich wie Puppet Roles & Profiles Using Trusted Facts. (20)

Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and Ops
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain Week
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORM
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Seeding a Tree in a Gherkin
Seeding a Tree in a GherkinSeeding a Tree in a Gherkin
Seeding a Tree in a Gherkin
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Splunk bsides
Splunk bsidesSplunk bsides
Splunk bsides
 
Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins GroupSalesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 

Kürzlich hochgeladen

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...software pro Development
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 

Kürzlich hochgeladen (20)

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 

Puppet Roles & Profiles Using Trusted Facts.

  • 1. Roles, Profiles & Trusted Facts! Puppet Meetup, 23rd Feb 2016 Stephen Wallace https://au.linkedin.com/in/stephenwallace @stphnwallace
  • 2. Who am I? Devops contractor Home brewer Connector of people (3000+)
  • 3. What do I do? • Help people (companies) stay relevant in a fast moving world • Build people, which builds teams. Collaborative Economy • Help enough people get what they want…
  • 4. What Are Roles & Profiles? • An area of confusion! • Role….business speak • Profile….tech stacks…think Lego • Classification….role only! • IT facilitates the business, right? • Quick peek at site.pp
  • 5. How can we apply a role? • /etc/puppetlabs/facter/facts.d/BLAH • export FACTER_role=thingo • custom fact to read a file • console
  • 6. Do you want this flexibility in production?! export FACTER_role=whatever
  • 7. Normal vs Trusted Facts • Normal facts are self-reported by the node, and nothing guarantees their accuracy. • Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. • The variable name $trusted is reserved, so local scopes cannot re-use it. • Useful for deciding whether a given node should receive sensitive data in its catalogue.
  • 8. Enabling & Using Trusted Facts $ sudo puppet config print trusted_node_data immutable_node_data --section master trusted_node_data = true immutable_node_data = true Example; if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys } (*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>]. (*) OID / name mapping can be found here - https://docs.puppetlabs.com/ puppet/latest/reference/config_file_csr_attributes.html
  • 9. What Other Practical Uses? • Embed a deployment key ? • $trusted[‘extensions']['pp_role'] ?
  • 10. Setting Trusted Facts • Extra data for the CSR is read from the csr_attributes.yaml file in Puppet Agent’s $confdir. • YAML hash containing one or both of the following keys: • custom_attributes • extension_requests • e.g. --- extension_requests: pp_preshared_key: banana
  • 11. Checking for the CSR OIDs • cd /etc/puppetlabs/puppet/ssl/ca/requests • openssl req -noout -text -in ip-172-31-35-224.ap- southeast-2.compute.internal.pem • Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop Cool bananas? :)
  • 12. Puppet Agent Workflow - Before • New agent generates certs, and submits CSR. • Puppet master / CA signs the cert, and the catalog is served. • Uses cert for auth ongoing.
  • 13. Puppet Agent Workflow - After • New agent generates CSR reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR. • Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served. • Uses cert for auth ongoing, and reads trusted facts when communicating with the PM
  • 14. Policy Based Autosigning • puppet config set --section master autosign /usr/ local/bin/autosign-psk.rb • Can be used for policy based autosigning • See autosign-psk.rb in appendix
  • 15.
  • 16.
  • 17.
  • 18. Further Reading • http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/ • https://docs.puppetlabs.com/puppet/3.8/reference/ ssl_attributes_extensions.html#recommended-oids-for-extensions • https://docs.puppetlabs.com/puppet/latest/reference/ ssl_attributes_extensions.html • https://docs.puppetlabs.com/puppet/latest/reference/ config_file_csr_attributes.html • https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts
  • 19. Appendix 1 - autosign-psk.rb #!/opt/puppetlabs/puppet/bin/ruby require "openssl" include OpenSSL csr = OpenSSL::X509::Request.new $stdin.read atts = csr.attributes() if atts.empty? exit 1 end key = nil atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end if key == "banana" print "Matchn" exit 0 else puts "The key in the CSR is #{key}, no match." print "No matchn" exit 1 end
  • 20. Thanks! • Stephen J Wallace • whizbang.wallace@gmail.com • Follow for details of CD training event in May 2016 - @stphnwallace / @devopsdan