|
#
|
|
# Managed by Puppet
|
|
#
|
|
# This is the default auth.conf file, which implements the default rules
|
|
# used by the puppet master. (That is, the rules below will still apply
|
|
# even if this file is deleted.)
|
|
#
|
|
# The ACLs are evaluated in top-down order. More specific stanzas should
|
|
# be towards the top of the file and more general ones at the bottom;
|
|
# otherwise, the general rules may "steal" requests that should be
|
|
# governed by the specific rules.
|
|
#
|
|
# See https://puppet.com/docs/puppet/latest/config_file_auth.html
|
|
# for a more complete description of auth.conf's behavior.
|
|
#
|
|
# Supported syntax:
|
|
# Each stanza in auth.conf starts with a path to match, followed
|
|
# by optional modifiers, and finally, a series of allow or deny
|
|
# directives.
|
|
#
|
|
# Example Stanza
|
|
# ---------------------------------
|
|
# path /path/to/resource # simple prefix match
|
|
# # path ~ regex # alternately, regex match
|
|
# [environment envlist]
|
|
# [method methodlist]
|
|
# [auth[enthicated] {yes|no|on|off|any}]
|
|
# allow [host|backreference|*|regex]
|
|
# deny [host|backreference|*|regex]
|
|
# allow_ip [ip|cidr|ip_wildcard|*]
|
|
# deny_ip [ip|cidr|ip_wildcard|*]
|
|
#
|
|
# The path match can either be a simple prefix match or a regular
|
|
# expression. `path /file` would match both `/file_metadata` and
|
|
# `/file_content`. Regex matches allow the use of backreferences
|
|
# in the allow/deny directives.
|
|
#
|
|
# The regex syntax is the same as for Ruby regex, and captures backreferences
|
|
# for use in the `allow` and `deny` lines of that stanza
|
|
#
|
|
# Examples:
|
|
#
|
|
# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`.
|
|
# allow * # Allow all authenticated nodes (since auth
|
|
# # defaults to `yes`).
|
|
#
|
|
# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
|
|
# allow $1 # certname), but not any other node's catalog.
|
|
#
|
|
# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to
|
|
# auth yes # access the "extra_files"
|
|
# allow /^(.+)\.example\.com$/ # mount point; note this must
|
|
# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
|
|
# # since it is more specific.
|
|
#
|
|
# environment:: restrict an ACL to a comma-separated list of environments
|
|
# method:: restrict an ACL to a comma-separated list of HTTP methods
|
|
# auth:: restrict an ACL to an authenticated or unauthenticated request
|
|
# the default when unspecified is to restrict the ACL to authenticated requests
|
|
# (ie exactly as if auth yes was present).
|
|
#
|
|
|
|
# CONTROLLING FILE ACCESS (previously in fileserver.conf)
|
|
|
|
# In previous versions of Puppet, you controlled file access by adding
|
|
# rules to fileserver.conf. In Puppet 5 with Puppet Server, you can control
|
|
# file access in auth.conf by controlling the /file_metadata(s)/<mount point>,
|
|
# /file_content(s)/<mount point>, and /static_file_content/<file> paths. See the
|
|
# Puppet Server documentation at
|
|
# https://puppet.com/docs/puppetserver/latest/config_file_auth.html.
|
|
#
|
|
# If you are not using Puppet Server, or are using Puppet Server but with the
|
|
# "jruby-puppet.use-legacy-auth-conf" setting set to "true", you could set the
|
|
# desired file access in a new rule in this file. For example:
|
|
#
|
|
# path ~ ^/file_(metadata|content)s?/extra_files/
|
|
# auth yes
|
|
# allow /^(.+)\.example\.com$/
|
|
# allow_ip 192.168.100.0/24
|
|
#
|
|
# If added to auth.conf BEFORE the default "path /file" rule, this rule
|
|
# will add stricter restrictions to the extra_files mount point.
|
|
|
|
### Authenticated ACLs - these rules apply only when the client
|
|
### has a valid certificate and is thus authenticated
|
|
|
|
path /puppet/v3/environments
|
|
method find
|
|
allow *
|
|
|
|
# allow nodes to retrieve their own catalog
|
|
path ~ ^/puppet/v3/catalog/([^/]+)$
|
|
method find
|
|
allow <%= @auth_allowed.join(', ') %>
|
|
|
|
# allow nodes to retrieve their own node definition
|
|
path ~ ^/puppet/v3/node/([^/]+)$
|
|
method find
|
|
allow <%= @auth_allowed.join(', ') %>
|
|
|
|
# allow all nodes to store their own reports
|
|
path ~ ^/puppet/v3/report/([^/]+)$
|
|
method save
|
|
allow <%= @auth_allowed.join(', ') %>
|
|
|
|
# allow all nodes to update their own facts
|
|
path ~ ^/puppet/v3/facts/([^/]+)$
|
|
method save
|
|
allow <%= @auth_allowed.join(', ') %>
|
|
|
|
# Allow all nodes to access all file services; this is necessary for
|
|
# pluginsync, file serving from modules, and file serving from custom
|
|
# mount points (see fileserver.conf). Note that the `/file` prefix matches
|
|
# requests to both the file_metadata and file_content paths. See "Examples"
|
|
# above if you need more granular access control for custom mount points.
|
|
path /puppet/v3/file
|
|
allow *
|
|
|
|
path /puppet/v3/status
|
|
method find
|
|
allow *
|
|
|
|
# allow all nodes to access the certificates services
|
|
path /puppet-ca/v1/certificate_revocation_list/ca
|
|
<% if @allow_any_crl_auth -%>
|
|
auth any
|
|
<% end -%>
|
|
method find
|
|
allow *
|
|
|
|
### Unauthenticated ACLs, for clients without valid certificates; authenticated
|
|
### clients can also access these paths, though they rarely need to.
|
|
|
|
# allow access to the CA certificate; unauthenticated nodes need this
|
|
# in order to validate the puppet master's certificate
|
|
path /puppet-ca/v1/certificate/ca
|
|
auth any
|
|
method find
|
|
allow *
|
|
|
|
# allow nodes to retrieve the certificate they requested earlier
|
|
path /puppet-ca/v1/certificate/
|
|
auth any
|
|
method find
|
|
allow *
|
|
|
|
# allow nodes to request a new certificate
|
|
path /puppet-ca/v1/certificate_request
|
|
auth any
|
|
method find, save
|
|
allow *
|
|
<% if scope.lookupvar('::puppet::listen') -%>
|
|
|
|
path /run
|
|
auth any
|
|
method save
|
|
allow <%= if (!@listen_to.empty?) then @listen_to.join(",") elsif ( @puppetmaster and !@puppetmaster.empty? ) then @puppetmaster else @fqdn end %>
|
|
<% end -%>
|
|
|
|
# deny everything else; this ACL is not strictly necessary, but
|
|
# illustrates the default policy.
|
|
path /
|
|
auth any
|