Foreman » Installer

#

# Managed by Puppet

#

# This is the default auth.conf file, which implements the default rules

# used by the puppet master. (That is, the rules below will still apply

# even if this file is deleted.)

#

# The ACLs are evaluated in top-down order. More specific stanzas should

# be towards the top of the file and more general ones at the bottom;

# otherwise, the general rules may "steal" requests that should be

# governed by the specific rules.

#

# See https://puppet.com/docs/puppet/latest/config_file_auth.html

# for a more complete description of auth.conf's behavior.

#

# Supported syntax:

# Each stanza in auth.conf starts with a path to match, followed

# by optional modifiers, and finally, a series of allow or deny

# directives.

#

# Example Stanza

# ---------------------------------

# path /path/to/resource # simple prefix match

# # path ~ regex # alternately, regex match

# [environment envlist]

# [method methodlist]

# [auth[enthicated] {yes|no|on|off|any}]

# allow [host|backreference|*|regex]

# deny [host|backreference|*|regex]

# allow_ip [ip|cidr|ip_wildcard|*]

# deny_ip [ip|cidr|ip_wildcard|*]

#

# The path match can either be a simple prefix match or a regular

# expression. `path /file` would match both `/file_metadata` and

# `/file_content`. Regex matches allow the use of backreferences

# in the allow/deny directives.

#

# The regex syntax is the same as for Ruby regex, and captures backreferences

# for use in the `allow` and `deny` lines of that stanza

#

# Examples:

#

# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`.

# allow * # Allow all authenticated nodes (since auth

# # defaults to `yes`).

#

# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by

# allow $1 # certname), but not any other node's catalog.

#

# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to

# auth yes # access the "extra_files"

# allow /^(.+)\.example\.com$/ # mount point; note this must

# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,

# # since it is more specific.

#

# environment:: restrict an ACL to a comma-separated list of environments

# method:: restrict an ACL to a comma-separated list of HTTP methods

# auth:: restrict an ACL to an authenticated or unauthenticated request

# the default when unspecified is to restrict the ACL to authenticated requests

# (ie exactly as if auth yes was present).

#

# CONTROLLING FILE ACCESS (previously in fileserver.conf)

# In previous versions of Puppet, you controlled file access by adding

# rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control

# file access in auth.conf by controlling the /file_metadata(s)/<mount point>,

# /file_content(s)/<mount point>, and /static_file_content/<file> paths. See the

# Puppet Server documentation at

# https://puppet.com/docs/puppetserver/latest/config_file_auth.html.

#

# If you are not using Puppet Server, or are using Puppet Server but with the

# "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the

# desired file access in a new rule in this file. For example:

#

# path ~ ^/file_(metadata|content)s?/extra_files/

# auth yes

# allow /^(.+)\.example\.com$/

# allow_ip 192.168.100.0/24

#

# If added to auth.conf BEFORE the default "path /file" rule, this rule

# will add stricter restrictions to the extra_files mount point.

### Authenticated ACLs - these rules apply only when the client

### has a valid certificate and is thus authenticated

path /puppet/v3/environments

method find

allow *

# allow nodes to retrieve their own catalog

path ~ ^/puppet/v3/catalog/([^/]+)$

method find

allow <%= @auth_allowed.join(', ') %>

# allow nodes to retrieve their own node definition

path ~ ^/puppet/v3/node/([^/]+)$

method find

allow <%= @auth_allowed.join(', ') %>

# allow all nodes to store their own reports

path ~ ^/puppet/v3/report/([^/]+)$

method save

allow <%= @auth_allowed.join(', ') %>

# allow all nodes to update their own facts

path ~ ^/puppet/v3/facts/([^/]+)$

method save

allow <%= @auth_allowed.join(', ') %>

# Allow all nodes to access all file services; this is necessary for

# pluginsync, file serving from modules, and file serving from custom

# mount points (see fileserver.conf). Note that the `/file` prefix matches

# requests to both the file_metadata and file_content paths. See "Examples"

# above if you need more granular access control for custom mount points.

path /puppet/v3/file

allow *

path /puppet/v3/status

method find

allow *

# allow all nodes to access the certificates services

path /puppet-ca/v1/certificate_revocation_list/ca

<% if @allow_any_crl_auth -%>

auth any

<% end -%>

method find

allow *

### Unauthenticated ACLs, for clients without valid certificates; authenticated

### clients can also access these paths, though they rarely need to.

# allow access to the CA certificate; unauthenticated nodes need this

# in order to validate the puppet master's certificate

path /puppet-ca/v1/certificate/ca

auth any

method find

allow *

# allow nodes to retrieve the certificate they requested earlier

path /puppet-ca/v1/certificate/

auth any

method find

allow *

# allow nodes to request a new certificate

path /puppet-ca/v1/certificate_request

auth any

method find, save

allow *

<% if scope.lookupvar('::puppet::listen') -%>

path /run

auth any

method save

allow <%= if (!@listen_to.empty?) then @listen_to.join(",") elsif ( @puppetmaster and !@puppetmaster.empty? ) then @puppetmaster else @fqdn end %>

<% end -%>

# deny everything else; this ACL is not strictly necessary, but

# illustrates the default policy.

path /

auth any