aboutsummaryrefslogtreecommitdiff
path: root/templates/puppet/auth.conf.erb
blob: 47740dcf986c07d70bc5e3f526172a13858b4be9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# This is an example auth.conf file, it mimics the puppetmasterd defaults
#
# The ACL are checked in order of appearance in this file.
#
# Supported syntax:
# This file supports two different syntax depending on how
# you want to express the ACL.
#
# Path syntax (the one used below):
# ---------------------------------
# path /path/to/resource
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The path is matched as a prefix. That is /file match at
# the same time /file_metadat and /file_content.
#
# Regex syntax:
# -------------
# This one is differenciated from the path one by a '~'
#
# path ~ regex
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The regex syntax is the same as ruby ones.
#
# Ex:
# path ~ .pp$
# will match every resource ending in .pp (manifests files for instance)
#
# path ~ ^/path/to/resource
# is essentially equivalent to path /path/to/resource
#
# environment:: restrict an ACL to a specific set of environments
# method:: restrict an ACL to a specific set of methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#

# Allow authenticated nodes to retrieve their own catalogs:

path ~ ^/catalog/([^/]+)$
method find
allow $1

# allow nodes to retrieve their own node definition

path ~ ^/node/([^/]+)$
method find
allow $1

# Allow authenticated nodes to access any file services --- in practice, this results in fileserver.conf being consulted:

path /file
allow *

# Allow authenticated nodes to access the certificate revocation list:

path /certificate_revocation_list/ca
method find
allow *

# Allow authenticated nodes to send reports:

path /report
method save
allow *

# Allow unauthenticated access to certificates:

path /certificate/ca
auth no
method find
allow *

path /certificate/
auth no
method find
allow *

# Allow unauthenticated nodes to submit certificate signing requests:

path /certificate_request
auth no
method find, save
allow *

# Deny all other requests:

path /
auth any