search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.17k stars 434 forks source link

Configure Puppet module w/ GitOps user #15337

Closed noahtalerman closed 8 months ago

noahtalerman commented 1 year ago

Goal

User story
As an IT admin using Fleet's Puppet module,
I want to configure the Puppet module w/ a GitOps user
so that I can use the Puppet module w/o creating a user w/ admin access to Fleet.

Changes

Product

Engineering

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.
georgekarrv commented 11 months ago

Please add your planning poker estimate with Zenhub @roperzh

georgekarrv commented 11 months ago

Please add your planning poker estimate with Zenhub @gillespi314

roperzh commented 10 months ago

Heads-up that I updated the description of this issue to allow GitOps to read the following endpoints:

We discussed in stand-up that it was okay to make this change.

As a last sanity check, I have been looking at the issue that implemented GitOps and seems like we were in close communication with ~customer-domon every time we needed to give GitOps read access to endpoints as this was their request. Raising this in case you want to sanity check w/them.

cc: @noahtalerman @marko-lisica @georgekarrv

noahtalerman commented 10 months ago

Hey @roperzh thanks for the heads up! I think let's go ahead with making the change and updating the permissions docs.

If the customer has any concerns when they read the release notes or docs then they'll let us know then.

FYI @ksatter

roperzh commented 10 months ago

@noahtalerman @rachaelshaw do you have any thoughts about adding a query parameter named for_update to the endpoints listed above?

This is to keep them consistent with the other gitops exception we have:

https://github.com/fleetdm/fleet/blob/b3452a67a760c608b5119f58d5482f752cb94b57/docs/REST%20API/rest-api.md?plain=1#L4997

noahtalerman commented 9 months ago

@roperzh I think up to @rachaelshaw but here's my thoughts:

Can we give read-access to the GitOps user w/o adding the for_update query param?

It's likely we give GitOps read access to other endpoints in the future.

I'm wary of going down the road of adding a for_update parameter every time we want to give the GitOps user read access to some endpoints.

Why? I think it's confusing for the API user. If I'm writing an automation that hits GET /hosts/identifier/:identifier do I have to use it?

rachaelshaw commented 9 months ago

Can we give read-access to the GitOps user w/o adding the for_update query param?

It's likely we give GitOps read access to other endpoints in the future.

@roperzh I agree with @noahtalerman about leaving out the for_update parameter, if we can. If a parameter doesn't change anything about the data being returned (which looks like it doesn't, it's just an extra authorization step for GitOps users, right?) then I think it adds complexity we don't need.

roperzh commented 9 months ago

@rachaelshaw thank you very much!! Do you want me to get rid of for_update? Or create a story for that?

rachaelshaw commented 9 months ago

@roperzh let's bring to Feature Fest; it's been around for awhile, right? (cc @noahtalerman)

roperzh commented 9 months ago

will do, and yes! it's been around since we released gitops

sabrinabuckets commented 9 months ago

Paired with Roberto to verify fix.

noahtalerman commented 8 months ago

Docs PR is here (needs to be merged): https://github.com/fleetdm/fleet/pull/17367

@Patagonia121, heads up, this customer request was shipped in Fleet 4.47.

fleet-release commented 8 months ago

Puppet module tuned, GitOps user now in sync, Secure Fleet, unfettered.