diff options
Diffstat (limited to 'puppet/auth.conf')
| -rw-r--r-- | puppet/auth.conf | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/puppet/auth.conf b/puppet/auth.conf new file mode 100644 index 0000000..47740dc --- /dev/null +++ b/puppet/auth.conf @@ -0,0 +1,99 @@ +# This is an example auth.conf file, it mimics the puppetmasterd defaults +# +# The ACL are checked in order of appearance in this file. +# +# Supported syntax: +# This file supports two different syntax depending on how +# you want to express the ACL. +# +# Path syntax (the one used below): +# --------------------------------- +# path /path/to/resource +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The path is matched as a prefix. That is /file match at +# the same time /file_metadat and /file_content. +# +# Regex syntax: +# ------------- +# This one is differenciated from the path one by a '~' +# +# path ~ regex +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The regex syntax is the same as ruby ones. +# +# Ex: +# path ~ .pp$ +# will match every resource ending in .pp (manifests files for instance) +# +# path ~ ^/path/to/resource +# is essentially equivalent to path /path/to/resource +# +# environment:: restrict an ACL to a specific set of environments +# method:: restrict an ACL to a specific set of methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +# Allow authenticated nodes to retrieve their own catalogs: + +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow nodes to retrieve their own node definition + +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted: + +path /file +allow * + +# Allow authenticated nodes to access the certificate revocation list: + +path /certificate_revocation_list/ca +method find +allow * + +# Allow authenticated nodes to send reports: + +path /report +method save +allow * + +# Allow unauthenticated access to certificates: + +path /certificate/ca +auth no +method find +allow * + +path /certificate/ +auth no +method find +allow * + +# Allow unauthenticated nodes to submit certificate signing requests: + +path /certificate_request +auth no +method find, save +allow * + +# Deny all other requests: + +path / +auth any |