diff options
Diffstat (limited to 'auth.conf')
-rw-r--r-- | auth.conf | 100 |
1 files changed, 0 insertions, 100 deletions
diff --git a/auth.conf b/auth.conf deleted file mode 100644 index 92aae26..0000000 --- a/auth.conf +++ /dev/null @@ -1,100 +0,0 @@ -# This is an example auth.conf file, it mimics the puppetmasterd defaults -# -# The ACL are checked in order of appearance in this file. -# -# Supported syntax: -# This file supports two different syntax depending on how -# you want to express the ACL. -# -# Path syntax (the one used below): -# --------------------------------- -# path /path/to/resource -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|ip|*] -# deny [host|ip] -# -# The path is matched as a prefix. That is /file match at -# the same time /file_metadat and /file_content. -# -# Regex syntax: -# ------------- -# This one is differenciated from the path one by a '~' -# -# path ~ regex -# [environment envlist] -# [method methodlist] -# [auth[enthicated] {yes|no|on|off|any}] -# allow [host|ip|*] -# deny [host|ip] -# -# The regex syntax is the same as ruby ones. -# -# Ex: -# path ~ .pp$ -# will match every resource ending in .pp (manifests files for instance) -# -# path ~ ^/path/to/resource -# is essentially equivalent to path /path/to/resource -# -# environment:: restrict an ACL to a specific set of environments -# method:: restrict an ACL to a specific set of methods -# auth:: restrict an ACL to an authenticated or unauthenticated request -# the default when unspecified is to restrict the ACL to authenticated requests -# (ie exactly as if auth yes was present). -# - -### Authenticated ACL - those applies only when the client -### has a valid certificate and is thus authenticated - -# allow nodes to retrieve their own catalog (ie their configuration) -path ~ ^/catalog/([^/]+)$ -method find -allow $1 - -# allow nodes to retrieve their own node definition -path ~ ^/node/([^/]+)$ -method find -allow $1 - -# allow all nodes to access the certificates services -path /certificate_revocation_list/ca -method find -allow * - -# allow all nodes to store their own reports -path ~ ^/report/([^/]+)$ -method save -allow $1 - -# inconditionnally allow access to all files services -# which means in practice that fileserver.conf will -# still be used -path /file -allow * - -### Unauthenticated ACL, for clients for which the current master doesn't -### have a valid certificate; we allow authenticated users, too, because -### there isn't a great harm in letting that request through. - -# allow access to the master CA -path /certificate/ca -auth any -method find -allow * - -path /certificate/ -auth any -method find -allow * - -path /certificate_request -auth any -method find, save -allow * - -# this one is not stricly necessary, but it has the merit -# to show the default policy which is deny everything else -path / -auth any |