Hi Moritz,
sounds like a big step in the right direction.
I’m wondering if splitting the permissions a tiny bit further would make sense. If I understand the permissions correctly, it won’t make a difference if the host a user tries to register has been registered before. I think when it comes to a user that is used in scripts and whose password is hence possibly widely accessible, it would be nice to only allow the “initial” registration but no kind of “re-registering”. I.e. once a host has been registered as “db01” and handed it’s TLS certificate, you can’t simply register another host claiming to be “db01”
(Come to think of it though, I think this is less of an issue for TLS registration and more for the bakery, where another host claiming to be “db01” could actually download an agent that it shouldn’t have access to. Maybe however it is also an issue for TLS registration once the push-agent comes into play, where suddenly another host could claim to be “db01” and sent malicious/misleading agent output incl. piggyback data.)
Does that make sense?
Gerd