Puppet currently supports some simplistic authorization systems, but only the puppetmasterd server currently does any listening, and the authorization only works for file copying.
This needs to be extended to support any element type, so it can be used for interactive use and node to node copies.
Update: For 0.16.0, a simple authorization mechanism was provided. It is not very granular, in that it only provides control over which hosts can call a given namespace or method on a namespace, but it's useful for at least providing equivalencies between hosts or for declaring that a given host has largely unfettered access to another host.
A configuration might look something like this:
[pelementserver] allow puppet.reductivelabs.com [puppetca] allow * [filebucket] allow *.reductivelabs.com
