The basic need:
These operations need to be performed in order, which is easily achieved with saltstack using publish.publish. Access to perform operations on agent Y is managed by the salt master.
The closest thing I have been able to find in puppet is 'external resources' (ER), since they can be used to perform operations on other agents, but ER's fall short in many ways:
they don't support operation ordering
targeting is based on tags, which does not take security into account
they are so decoupled that you can't know from reading the code where an operation will be performed or where it comes from.
there is no way to get feedback on the success or failure of an operation
Is there any puppet alternative to saltstacks publish.publish?