Initial config target

1 files changed, 21 insertions, 16 deletions

diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
index 431e4b2..47740dc 100644
--- a/templates/puppet/auth.conf.erb
+++ b/templates/puppet/auth.conf.erb
@@ -45,34 +45,37 @@
 # (ie exactly as if auth yes was present).
 #
 
-### Authenticated ACL - those applies only when the client
-### has a valid certificate and is thus authenticated
+# Allow authenticated nodes to retrieve their own catalogs:
 
-# allow nodes to retrieve their own catalog (ie their configuration)
 path ~ ^/catalog/([^/]+)$
 method find
 allow $1
 
-# allow all nodes to access the certificates services
+# allow nodes to retrieve their own node definition
+
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+
+# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
+
+path /file
+allow *
+
+# Allow authenticated nodes to access the certificate revocation list:
+
 path /certificate_revocation_list/ca
 method find
 allow *
 
-# allow all nodes to store their reports
+# Allow authenticated nodes to send reports:
+
 path /report
 method save
 allow *
 
-# inconditionnally allow access to all files services
-# which means in practice that fileserver.conf will
-# still be used
-path /file
-allow *
+# Allow unauthenticated access to certificates:
 
-### Unauthenticated ACL, for clients for which the current master doesn't
-### have a valid certificate
-
-# allow access to the master CA
 path /certificate/ca
 auth no
 method find
@@ -83,12 +86,14 @@ auth no
 method find
 allow *
 
+# Allow unauthenticated nodes to submit certificate signing requests:
+
 path /certificate_request
 auth no
 method find, save
 allow *
 
-# this one is not stricly necessary, but it has the merit
-# to show the default policy which is deny everything else
+# Deny all other requests:
+
 path /
 auth any