diff options
-rw-r--r-- | templates/puppet/auth.conf.erb | 113 |
1 files changed, 67 insertions, 46 deletions
diff --git a/templates/puppet/auth.conf.erb b/templates/puppet/auth.conf.erb index 47740dc..96f078c 100644 --- a/templates/puppet/auth.conf.erb +++ b/templates/puppet/auth.conf.erb @@ -1,99 +1,120 @@ -# This is an example auth.conf file, it mimics the puppetmasterd defaults +# This is the default auth.conf file, which implements the default rules +# used by the puppet master. (That is, the rules below will still apply +# even if this file is deleted.) # -# The ACL are checked in order of appearance in this file. +# The ACLs are evaluated in top-down order. More specific stanzas should +# be towards the top of the file and more general ones at the bottom; +# otherwise, the general rules may "steal" requests that should be +# governed by the specific rules. +# +# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete +# description of auth.conf's behavior. # # Supported syntax: -# This file supports two different syntax depending on how -# you want to express the ACL. +# Each stanza in auth.conf starts with a path to match, followed +# by optional modifiers, and finally, a series of allow or deny +# directives. # -# Path syntax (the one used below): +# Example Stanza # --------------------------------- -# path /path/to/resource +# path /path/to/resource # simple prefix match +# # path ~ regex # alternately, regex match # [environment envlist] # [method methodlist] # [auth[enthicated] {yes|no|on|off|any}] -# allow [host|ip|*] -# deny [host|ip] +# allow [host|backreference|*|regex] +# deny [host|backreference|*|regex] +# allow_ip [ip|cidr|ip_wildcard|*] +# deny_ip [ip|cidr|ip_wildcard|*] # -# The path is matched as a prefix. That is /file match at -# the same time /file_metadat and /file_content. +# The path match can either be a simple prefix match or a regular +# expression. `path /file` would match both `/file_metadata` and +# `/file_content`. Regex matches allow the use of backreferences +# in the allow/deny directives. # -# Regex syntax: -# ------------- -# This one is differenciated from the path one by a '~' +# The regex syntax is the same as for Ruby regex, and captures backreferences +# for use in the `allow` and `deny` lines of that stanza # -# path ~ regex -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|ip|*] -# deny [host|ip] +# Examples: # -# The regex syntax is the same as ruby ones. +# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). # -# Ex: -# path ~ .pp$ -# will match every resource ending in .pp (manifests files for instance) +# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. # -# path ~ ^/path/to/resource -# is essentially equivalent to path /path/to/resource +# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. # -# environment:: restrict an ACL to a specific set of environments -# method:: restrict an ACL to a specific set of methods +# environment:: restrict an ACL to a comma-separated list of environments +# method:: restrict an ACL to a comma-separated list of HTTP methods # auth:: restrict an ACL to an authenticated or unauthenticated request # the default when unspecified is to restrict the ACL to authenticated requests # (ie exactly as if auth yes was present). # -# Allow authenticated nodes to retrieve their own catalogs: +### Authenticated ACLs - these rules apply only when the client +### has a valid certificate and is thus authenticated +# allow nodes to retrieve their own catalog path ~ ^/catalog/([^/]+)$ method find allow $1 # allow nodes to retrieve their own node definition - path ~ ^/node/([^/]+)$ method find allow $1 -# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted: - -path /file -allow * - -# Allow authenticated nodes to access the certificate revocation list: - +# allow all nodes to access the certificates services path /certificate_revocation_list/ca method find allow * -# Allow authenticated nodes to send reports: - -path /report +# allow all nodes to store their own reports +path ~ ^/report/([^/]+)$ method save +allow $1 + +# Allow all nodes to access all file services; this is necessary for +# pluginsync, file serving from modules, and file serving from custom +# mount points (see fileserver.conf). Note that the `/file` prefix matches +# requests to both the file_metadata and file_content paths. See "Examples" +# above if you need more granular access control for custom mount points. +path /file allow * -# Allow unauthenticated access to certificates: +### Unauthenticated ACLs, for clients without valid certificates; authenticated +### clients can also access these paths, though they rarely need to. +# allow access to the CA certificate; unauthenticated nodes need this +# in order to validate the puppet master's certificate path /certificate/ca -auth no +auth any method find allow * +# allow nodes to retrieve the certificate they requested earlier path /certificate/ -auth no +auth any method find allow * -# Allow unauthenticated nodes to submit certificate signing requests: - +# allow nodes to request a new certificate path /certificate_request -auth no +auth any method find, save allow * -# Deny all other requests: +path /v2.0/environments +method find +allow * +# deny everything else; this ACL is not strictly necessary, but +# illustrates the default policy. path / auth any |