aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--templates/puppet/auth.conf.erb113
1 files changed, 67 insertions, 46 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb
index 47740dc..96f078c 100644
--- a/templates/puppet/auth.conf.erb
+++ b/templates/puppet/auth.conf.erb
@@ -1,99 +1,120 @@
-# This is an example auth.conf file, it mimics the puppetmasterd defaults
+# This is the default auth.conf file, which implements the default rules
+# used by the puppet master. (That is, the rules below will still apply
+# even if this file is deleted.)
#
-# The ACL are checked in order of appearance in this file.
+# The ACLs are evaluated in top-down order. More specific stanzas should
+# be towards the top of the file and more general ones at the bottom;
+# otherwise, the general rules may "steal" requests that should be
+# governed by the specific rules.
+#
+# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
+# description of auth.conf's behavior.
#
# Supported syntax:
-# This file supports two different syntax depending on how
-# you want to express the ACL.
+# Each stanza in auth.conf starts with a path to match, followed
+# by optional modifiers, and finally, a series of allow or deny
+# directives.
#
-# Path syntax (the one used below):
+# Example Stanza
# ---------------------------------
-# path /path/to/resource
+# path /path/to/resource # simple prefix match
+# # path ~ regex # alternately, regex match
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
-# allow [host|ip|*]
-# deny [host|ip]
+# allow [host|backreference|*|regex]
+# deny [host|backreference|*|regex]
+# allow_ip [ip|cidr|ip_wildcard|*]
+# deny_ip [ip|cidr|ip_wildcard|*]
#
-# The path is matched as a prefix. That is /file match at
-# the same time /file_metadat and /file_content.
+# The path match can either be a simple prefix match or a regular
+# expression. `path /file` would match both `/file_metadata` and
+# `/file_content`. Regex matches allow the use of backreferences
+# in the allow/deny directives.
#
-# Regex syntax:
-# -------------
-# This one is differenciated from the path one by a '~'
+# The regex syntax is the same as for Ruby regex, and captures backreferences
+# for use in the `allow` and `deny` lines of that stanza
#
-# path ~ regex
-# [environment envlist]
-# [method methodlist]
-# [auth[enthicated] {yes|no|on|off|any}]
-# allow [host|ip|*]
-# deny [host|ip]
+# Examples:
#
-# The regex syntax is the same as ruby ones.
+# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
+# allow * # Allow all authenticated nodes (since auth
+# # defaults to `yes`).
#
-# Ex:
-# path ~ .pp$
-# will match every resource ending in .pp (manifests files for instance)
+# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
+# allow $1 # certname), but not any other node's catalog.
#
-# path ~ ^/path/to/resource
-# is essentially equivalent to path /path/to/resource
+# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to
+# auth yes # access the "extra_files"
+# allow /^(.+)\.example\.com$/ # mount point; note this must
+# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
+# # since it is more specific.
#
-# environment:: restrict an ACL to a specific set of environments
-# method:: restrict an ACL to a specific set of methods
+# environment:: restrict an ACL to a comma-separated list of environments
+# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
-# Allow authenticated nodes to retrieve their own catalogs:
+### Authenticated ACLs - these rules apply only when the client
+### has a valid certificate and is thus authenticated
+# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
-
path ~ ^/node/([^/]+)$
method find
allow $1
-# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:
-
-path /file
-allow *
-
-# Allow authenticated nodes to access the certificate revocation list:
-
+# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
-# Allow authenticated nodes to send reports:
-
-path /report
+# allow all nodes to store their own reports
+path ~ ^/report/([^/]+)$
method save
+allow $1
+
+# Allow all nodes to access all file services; this is necessary for
+# pluginsync, file serving from modules, and file serving from custom
+# mount points (see fileserver.conf). Note that the `/file` prefix matches
+# requests to both the file_metadata and file_content paths. See "Examples"
+# above if you need more granular access control for custom mount points.
+path /file
allow *
-# Allow unauthenticated access to certificates:
+### Unauthenticated ACLs, for clients without valid certificates; authenticated
+### clients can also access these paths, though they rarely need to.
+# allow access to the CA certificate; unauthenticated nodes need this
+# in order to validate the puppet master's certificate
path /certificate/ca
-auth no
+auth any
method find
allow *
+# allow nodes to retrieve the certificate they requested earlier
path /certificate/
-auth no
+auth any
method find
allow *
-# Allow unauthenticated nodes to submit certificate signing requests:
-
+# allow nodes to request a new certificate
path /certificate_request
-auth no
+auth any
method find, save
allow *
-# Deny all other requests:
+path /v2.0/environments
+method find
+allow *
+# deny everything else; this ACL is not strictly necessary, but
+# illustrates the default policy.
path /
auth any