SlideShare a Scribd company logo

Puppet Roles & Profiles Using Trusted Facts.

Stephen Wallace
Stephen Wallace

An overview of Puppet roles and profiles, how trusted facts work, and how to use them to classify your nodes via policy based autosigning!

1 of 20
Download to read offline
Roles, Profiles & Trusted Facts! Puppet Meetup, 23rd Feb 2016 Stephen Wallace https://au.linkedin.com/in/stephenwallace @stphnwallace
Who am I? Devops contractor Home brewer Connector of people (3000+)
What do I do? • Help people (companies) stay relevant in a fast moving world • Build people, which builds teams. Collaborative Economy • Help enough people get what they want…
What Are Roles & Profiles? • An area of confusion! • Role….business speak • Profile….tech stacks…think Lego • Classification….role only! • IT facilitates the business, right? • Quick peek at site.pp
How can we apply a role? • /etc/puppetlabs/facter/facts.d/BLAH • export FACTER_role=thingo • custom fact to read a file • console
Do you want this flexibility in production?! export FACTER_role=whatever
Normal vs Trusted Facts • Normal facts are self-reported by the node, and nothing guarantees their accuracy. • Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. • The variable name $trusted is reserved, so local scopes cannot re-use it. • Useful for deciding whether a given node should receive sensitive data in its catalogue.
Enabling & Using Trusted Facts $ sudo puppet config print trusted_node_data immutable_node_data --section master trusted_node_data = true immutable_node_data = true Example; if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys } (*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>]. (*) OID / name mapping can be found here - https://docs.puppetlabs.com/ puppet/latest/reference/config_file_csr_attributes.html
What Other Practical Uses? • Embed a deployment key ? • $trusted[‘extensions']['pp_role'] ?
Setting Trusted Facts • Extra data for the CSR is read from the csr_attributes.yaml file in Puppet Agent’s $confdir. • YAML hash containing one or both of the following keys: • custom_attributes • extension_requests • e.g. --- extension_requests: pp_preshared_key: banana
Checking for the CSR OIDs • cd /etc/puppetlabs/puppet/ssl/ca/requests • openssl req -noout -text -in ip-172-31-35-224.ap- southeast-2.compute.internal.pem • Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop Cool bananas? :)
Puppet Agent Workflow - Before • New agent generates certs, and submits CSR. • Puppet master / CA signs the cert, and the catalog is served. • Uses cert for auth ongoing.
Puppet Agent Workflow - After • New agent generates CSR reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR. • Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served. • Uses cert for auth ongoing, and reads trusted facts when communicating with the PM
Policy Based Autosigning • puppet config set --section master autosign /usr/ local/bin/autosign-psk.rb • Can be used for policy based autosigning • See autosign-psk.rb in appendix
Further Reading • http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/ • https://docs.puppetlabs.com/puppet/3.8/reference/ ssl_attributes_extensions.html#recommended-oids-for-extensions • https://docs.puppetlabs.com/puppet/latest/reference/ ssl_attributes_extensions.html • https://docs.puppetlabs.com/puppet/latest/reference/ config_file_csr_attributes.html • https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts
Appendix 1 - autosign-psk.rb #!/opt/puppetlabs/puppet/bin/ruby require "openssl" include OpenSSL csr = OpenSSL::X509::Request.new $stdin.read atts = csr.attributes() if atts.empty? exit 1 end key = nil atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end if key == "banana" print "Matchn" exit 0 else puts "The key in the CSR is #{key}, no match." print "No matchn" exit 1 end
Thanks! • Stephen J Wallace • whizbang.wallace@gmail.com • Follow for details of CD training event in May 2016 - @stphnwallace / @devopsdan

Recommended

Decoupling entity-validations from entity-forms
Decoupling entity-validations from entity-formsDecoupling entity-validations from entity-forms
Decoupling entity-validations from entity-forms
Kunal Kursija
 
BrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The WayBrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The Way
ChrisJohnson792
 
Akka Presentation Schule@synyx
Akka Presentation Schule@synyxAkka Presentation Schule@synyx
Akka Presentation Schule@synyx
Florian Hopf
 
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin DevelopmentAtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Developmentmrdon
 
Enemy of the state
Enemy of the stateEnemy of the state
Enemy of the state
Mike North
 
Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016
Jere Julian
 
Idea2app
Idea2appIdea2app
Idea2app
Flumes
 
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_staticLincoln III
 

Recommended

Decoupling entity-validations from entity-forms
Decoupling entity-validations from entity-formsDecoupling entity-validations from entity-forms
Decoupling entity-validations from entity-forms
Kunal Kursija
 
BrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The WayBrightonSEO 2020 - Mastering The API and Having Fun Along The Way
BrightonSEO 2020 - Mastering The API and Having Fun Along The Way
ChrisJohnson792
 
Akka Presentation Schule@synyx
Akka Presentation Schule@synyxAkka Presentation Schule@synyx
Akka Presentation Schule@synyx
Florian Hopf
 
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin DevelopmentAtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Developmentmrdon
 
Enemy of the state
Enemy of the stateEnemy of the state
Enemy of the state
Mike North
 
Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016Custom Facts - Raleigh Puppet User Group 2016
Custom Facts - Raleigh Puppet User Group 2016
Jere Julian
 
Idea2app
Idea2appIdea2app
Idea2app
Flumes
 
2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_static2012 03 27_philly_jug_rewrite_static
2012 03 27_philly_jug_rewrite_staticLincoln III
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Tal Melamed
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
John Allspaw
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and Ops
Chris DeLashmutt
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain Week
Horea Porutiu
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)
DECK36
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORM
Ortus Solutions, Corp
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
hackersuli
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Seeding a Tree in a Gherkin
Seeding a Tree in a GherkinSeeding a Tree in a Gherkin
Seeding a Tree in a Gherkin
Paul Rohorzka
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Splunk bsides
Splunk bsidesSplunk bsides
Splunk bsidesMacy Cronkrite
 
Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010
pivotjoe
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
Rob Dunn
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
Splunk
 
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins GroupSalesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
animuscrm
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Game Development with Unity3D (Game Development lecture 3)
Game Development with Unity3D (Game Development lecture 3)Game Development with Unity3D (Game Development lecture 3)
Game Development with Unity3D (Game Development lecture 3)
abdulrafaychaudhry
 

More Related Content

Similar to Puppet Roles & Profiles Using Trusted Facts.

Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Tal Melamed
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
John Allspaw
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and Ops
Chris DeLashmutt
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain Week
Horea Porutiu
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)
DECK36
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORM
Ortus Solutions, Corp
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
hackersuli
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Seeding a Tree in a Gherkin
Seeding a Tree in a GherkinSeeding a Tree in a Gherkin
Seeding a Tree in a Gherkin
Paul Rohorzka
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010
pivotjoe
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
Rob Dunn
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
Splunk
 
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins GroupSalesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
animuscrm
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 

Similar to Puppet Roles & Profiles Using Trusted Facts. (20)

Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Dev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and FlickrDev and Ops Collaboration and Awareness at Etsy and Flickr
Dev and Ops Collaboration and Awareness at Etsy and Flickr
 
Cloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and OpsCloud Foundry API for Fun and Ops
Cloud Foundry API for Fun and Ops
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain Week
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)
 
Killing Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORMKilling Shark-Riding Dinosaurs with ORM
Killing Shark-Riding Dinosaurs with ORM
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Seeding a Tree in a Gherkin
Seeding a Tree in a GherkinSeeding a Tree in a Gherkin
Seeding a Tree in a Gherkin
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Splunk bsides
Splunk bsidesSplunk bsides
Splunk bsides
 
Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010Pivotal tracker presentation 10-13-2010
Pivotal tracker presentation 10-13-2010
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins GroupSalesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
Salesforce Admin Group-Barcelona-2022-07-05 In-person Meetup-BCN Admins Group
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 

Recently uploaded

Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Game Development with Unity3D (Game Development lecture 3)
Game Development with Unity3D (Game Development lecture 3)Game Development with Unity3D (Game Development lecture 3)
Game Development with Unity3D (Game Development lecture 3)
abdulrafaychaudhry
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 

Recently uploaded (20)

Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Game Development with Unity3D (Game Development lecture 3)
Game Development with Unity3D (Game Development lecture 3)Game Development with Unity3D (Game Development lecture 3)
Game Development with Unity3D (Game Development lecture 3)
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 

Puppet Roles & Profiles Using Trusted Facts.

  • 1. Roles, Profiles & Trusted Facts! Puppet Meetup, 23rd Feb 2016 Stephen Wallace https://au.linkedin.com/in/stephenwallace @stphnwallace
  • 2. Who am I? Devops contractor Home brewer Connector of people (3000+)
  • 3. What do I do? • Help people (companies) stay relevant in a fast moving world • Build people, which builds teams. Collaborative Economy • Help enough people get what they want…
  • 4. What Are Roles & Profiles? • An area of confusion! • Role….business speak • Profile….tech stacks…think Lego • Classification….role only! • IT facilitates the business, right? • Quick peek at site.pp
  • 5. How can we apply a role? • /etc/puppetlabs/facter/facts.d/BLAH • export FACTER_role=thingo • custom fact to read a file • console
  • 6. Do you want this flexibility in production?! export FACTER_role=whatever
  • 7. Normal vs Trusted Facts • Normal facts are self-reported by the node, and nothing guarantees their accuracy. • Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. • The variable name $trusted is reserved, so local scopes cannot re-use it. • Useful for deciding whether a given node should receive sensitive data in its catalogue.
  • 8. Enabling & Using Trusted Facts $ sudo puppet config print trusted_node_data immutable_node_data --section master trusted_node_data = true immutable_node_data = true Example; if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys } (*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>]. (*) OID / name mapping can be found here - https://docs.puppetlabs.com/ puppet/latest/reference/config_file_csr_attributes.html
  • 9. What Other Practical Uses? • Embed a deployment key ? • $trusted[‘extensions']['pp_role'] ?
  • 10. Setting Trusted Facts • Extra data for the CSR is read from the csr_attributes.yaml file in Puppet Agent’s $confdir. • YAML hash containing one or both of the following keys: • custom_attributes • extension_requests • e.g. --- extension_requests: pp_preshared_key: banana
  • 11. Checking for the CSR OIDs • cd /etc/puppetlabs/puppet/ssl/ca/requests • openssl req -noout -text -in ip-172-31-35-224.ap- southeast-2.compute.internal.pem • Check out the attributes section Attributes: Requested Extensions: 1.3.6.1.4.1.34380.1.1.4: ..banana 1.3.6.1.4.1.34380.1.1.13: ..webshop Cool bananas? :)
  • 12. Puppet Agent Workflow - Before • New agent generates certs, and submits CSR. • Puppet master / CA signs the cert, and the catalog is served. • Uses cert for auth ongoing.
  • 13. Puppet Agent Workflow - After • New agent generates CSR reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR. • Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served. • Uses cert for auth ongoing, and reads trusted facts when communicating with the PM
  • 14. Policy Based Autosigning • puppet config set --section master autosign /usr/ local/bin/autosign-psk.rb • Can be used for policy based autosigning • See autosign-psk.rb in appendix
  • 15.
  • 16.
  • 17.
  • 18. Further Reading • http://www.sebdangerfield.me.uk/2015/06/puppet-trusted-facts/ • https://docs.puppetlabs.com/puppet/3.8/reference/ ssl_attributes_extensions.html#recommended-oids-for-extensions • https://docs.puppetlabs.com/puppet/latest/reference/ ssl_attributes_extensions.html • https://docs.puppetlabs.com/puppet/latest/reference/ config_file_csr_attributes.html • https://docs.puppetlabs.com/puppet/latest/reference/ lang_facts_and_builtin_vars.html#trusted-facts
  • 19. Appendix 1 - autosign-psk.rb #!/opt/puppetlabs/puppet/bin/ruby require "openssl" include OpenSSL csr = OpenSSL::X509::Request.new $stdin.read atts = csr.attributes() if atts.empty? exit 1 end key = nil atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end if key == "banana" print "Matchn" exit 0 else puts "The key in the CSR is #{key}, no match." print "No matchn" exit 1 end
  • 20. Thanks! • Stephen J Wallace • whizbang.wallace@gmail.com • Follow for details of CD training event in May 2016 - @stphnwallace / @devopsdan