diff options
| author | drebs <drebs@riseup.net> | 2011-03-11 14:53:39 -0300 |
|---|---|---|
| committer | drebs <drebs@riseup.net> | 2011-03-11 14:53:39 -0300 |
| commit | 01b2048dbf02ac726dabde5e846b9d6ac9aff0e6 (patch) | |
| tree | 28f13f07a483a73ffcbfb25e4aba0c40f3d656bb /templates/puppet/auth.conf.erb | |
| download | puppet-bootstrap-01b2048dbf02ac726dabde5e846b9d6ac9aff0e6.tar.gz puppet-bootstrap-01b2048dbf02ac726dabde5e846b9d6ac9aff0e6.tar.bz2 | |
initial recommit
Diffstat (limited to 'templates/puppet/auth.conf.erb')
| -rw-r--r-- | templates/puppet/auth.conf.erb | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb new file mode 100644 index 0000000..431e4b2 --- /dev/null +++ b/templates/puppet/auth.conf.erb @@ -0,0 +1,94 @@ +# This is an example auth.conf file, it mimics the puppetmasterd defaults +# +# The ACL are checked in order of appearance in this file. +# +# Supported syntax: +# This file supports two different syntax depending on how +# you want to express the ACL. +# +# Path syntax (the one used below): +# --------------------------------- +# path /path/to/resource +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The path is matched as a prefix. That is /file match at +# the same time /file_metadat and /file_content. +# +# Regex syntax: +# ------------- +# This one is differenciated from the path one by a '~' +# +# path ~ regex +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|ip|*] +# deny [host|ip] +# +# The regex syntax is the same as ruby ones. +# +# Ex: +# path ~ .pp$ +# will match every resource ending in .pp (manifests files for instance) +# +# path ~ ^/path/to/resource +# is essentially equivalent to path /path/to/resource +# +# environment:: restrict an ACL to a specific set of environments +# method:: restrict an ACL to a specific set of methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +### Authenticated ACL - those applies only when the client +### has a valid certificate and is thus authenticated + +# allow nodes to retrieve their own catalog (ie their configuration) +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow all nodes to access the certificates services +path /certificate_revocation_list/ca +method find +allow * + +# allow all nodes to store their reports +path /report +method save +allow * + +# inconditionnally allow access to all files services +# which means in practice that fileserver.conf will +# still be used +path /file +allow * + +### Unauthenticated ACL, for clients for which the current master doesn't +### have a valid certificate + +# allow access to the master CA +path /certificate/ca +auth no +method find +allow * + +path /certificate/ +auth no +method find +allow * + +path /certificate_request +auth no +method find, save +allow * + +# this one is not stricly necessary, but it has the merit +# to show the default policy which is deny everything else +path / +auth any |