I wanted to expose the PuppetDB query API to developers but without exposing too much information (for example file contents that could contain passwords etc.). So I've created a small filtering proxy for it using apache and mod_ext_filter. It will allow any queries through but filter out the parameters on classes and resources in the replies. So you can still query for hosts matching certain criteria but without exposing every hosts entire configuration.

I've seen some people on the #puppet IRC channel that has wanted something similar, so I thought I should describe it here.

It uses apache2, mod_ext_filter and mod_proxy_http, so activate them.

Put this filter in /usr/local/bin/puppetdb-resource-filter


require 'json'

out = JSON.parse($stdin.read).each do |item|
item['parameters'] = {}
puts JSON.generate(out)


And add a apache config containing this (and modify to use HTTPS, password auth/ssl cert auth or whatever you want in it):

ExtFilterDefine puppetdb-strip-resource-params mode=output \
intype=application/json outtype=application/json \

<VirtualHost *:80>
<Proxy *>
Order Allow,Deny
Allow from all

ProxyPreserveHost On
<Location "/">
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/

# Filter this endpoint
<Location "/resources">
SetOutputFilter puppetdb-strip-resource-params

# Deny access to this endpoint
<Location "/commands">
Deny from all


Erik Dalén

You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
postedNov 22, '12 at 5:06p
activeNov 22, '12 at 5:06p

1 user in discussion

Erik Dalén: 1 post



site design / logo © 2022 Grokbase