diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2014-03-04 11:38:24 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2014-03-04 11:38:24 -0300 |
commit | 71e2d679d6757b9f7b6680468c4c6d6e3c42dcc6 (patch) | |
tree | ba38cef2d9f7aac04f5e333f65e6ba29eedd655b /templates/puppet/auth.conf.erb | |
parent | e1db7cfa877187a2e711e1f6500e452cf24fa006 (diff) | |
download | puppet-bootstrap-71e2d679d6757b9f7b6680468c4c6d6e3c42dcc6.tar.gz puppet-bootstrap-71e2d679d6757b9f7b6680468c4c6d6e3c42dcc6.tar.bz2 |
Initial config target
Diffstat (limited to 'templates/puppet/auth.conf.erb')
-rw-r--r-- | templates/puppet/auth.conf.erb | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb index 431e4b2..47740dc 100644 --- a/templates/puppet/auth.conf.erb +++ b/templates/puppet/auth.conf.erb @@ -45,34 +45,37 @@ # (ie exactly as if auth yes was present). # -### Authenticated ACL - those applies only when the client -### has a valid certificate and is thus authenticated +# Allow authenticated nodes to retrieve their own catalogs: -# allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 -# allow all nodes to access the certificates services +# allow nodes to retrieve their own node definition + +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted: + +path /file +allow * + +# Allow authenticated nodes to access the certificate revocation list: + path /certificate_revocation_list/ca method find allow * -# allow all nodes to store their reports +# Allow authenticated nodes to send reports: + path /report method save allow * -# inconditionnally allow access to all files services -# which means in practice that fileserver.conf will -# still be used -path /file -allow * +# Allow unauthenticated access to certificates: -### Unauthenticated ACL, for clients for which the current master doesn't -### have a valid certificate - -# allow access to the master CA path /certificate/ca auth no method find @@ -83,12 +86,14 @@ auth no method find allow * +# Allow unauthenticated nodes to submit certificate signing requests: + path /certificate_request auth no method find, save allow * -# this one is not stricly necessary, but it has the merit -# to show the default policy which is deny everything else +# Deny all other requests: + path / auth any |