Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(GH-3296) Try both token and cert based auth for puppetdb #3297

Closed
wants to merge 1 commit into from
Closed

(GH-3296) Try both token and cert based auth for puppetdb #3297

wants to merge 1 commit into from

Conversation

donoghuc
Copy link
Member

@donoghuc donoghuc commented Apr 8, 2024

Previously token was always included in header. With this commit, try POST requests with token in header. If that returns 401 AND cert/key is configured, retry with auth header excluded.

Alternately we could just prefer cert/key, but that seems like it may be a bigger shift in behavior, especially if people are expecting token to track identity.

@donoghuc donoghuc requested a review from a team as a code owner April 8, 2024 21:45
nmburgan
nmburgan reviewed Apr 8, 2024
View reviewed changes
lib/bolt/puppetdb/instance.rb
@@ -16,6 +16,15 @@ def initialize(config:, project: nil, load_defaults: false)
@logger = Bolt::Logger.logger(self)
end

def post_puppetdb(url, body)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this means if you have an invalid token, it's always going to be making two requests every time and you'll get failures in the PDB log for each one. Also, if you don't have a token but you do have certs specified, this is going to have the same behavior (actually not sure if it's 401 if there is no X-Authentication header at all).

What if this chooses one or the other if only one is specified, and if both are specified, try the token first. If that fails, record that it failed and don't try using it again.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm open to that. I'll look at reducing requests.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to persist token exclusion when it is determined to be problematic.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unable to reproduce a 401 other than the case where an invalid token is provided.

@donoghuc
(puppetlabsGH-3296) Try both token and cert based auth for puppetdb
58f2de8 
Previously token was always included in header. With this commit, try POST requests with token in header. If that returns 401 AND cert/key is configured, retry with auth header excluded.

!feature

* **Try cert based auth, failback to cert based auth for puppetdb** ([puppetlabs#3296](puppetlabs#3296))

  When both a token and cert are specified, try using the token in the
  x-auth header for puppetdb POSTs. If that responds with a 401, try
  again with the token excluded.
@donoghuc
Copy link
Member Author

donoghuc commented Apr 8, 2024

Looks like i've got some test cleanup to do. I'll figure that out in the morning.

@donoghuc
Copy link
Member Author

This approach is needlessly complex. Closing in favor of #3299

We may look at changing the way this is handed in puppetdb rbac.

@donoghuc donoghuc closed this Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nmburgan nmburgan nmburgan left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@donoghuc @nmburgan