|
# This file implements the defaults used by the puppet master.
|
|
#
|
|
# The ACLs are evaluated in top-down order. More general
|
|
# stanzas should be towards the bottom of the file and more
|
|
# specific ones at the top, otherwise the general rules
|
|
# take precedence and later rules will not be evaluated.
|
|
#
|
|
# Supported syntax:
|
|
# Each stanza in auth.conf starts with a path to mach, followed
|
|
# by optional modifiers, and finally, a series of allow or deny
|
|
# directives.
|
|
#
|
|
# Example Stanza
|
|
# ---------------------------------
|
|
# path /path/to/resource # simple prefix match
|
|
# # path ~ regex # alternately, regex match
|
|
# [environment envlist]
|
|
# [method methodlist]
|
|
# [auth[enthicated] {yes|no|on|off|any}]
|
|
# allow [host|backreference|*]
|
|
# deny [host|backreference|*]
|
|
# allow_ip [ip|cidr|ip_wildcard|*]
|
|
# deny_ip [ip|cidr|ip_wildcard|*]
|
|
#
|
|
# The path match can either be a simple prefix match or a regular
|
|
# expression. `path /file` would match both `/file_metadata` and
|
|
# `/file_content`. Regex matches allow the use of backreferences
|
|
# in the allow/deny directives.
|
|
#
|
|
# The regex syntax is the same as for Ruby regex, and captures backreferences
|
|
# for use in the `allow` and `deny` lines of that stanza
|
|
#
|
|
# Examples:
|
|
# path ~ ^/path/to/resource # equivalent to `path /path/to/resource`
|
|
# allow *
|
|
#
|
|
# path ~ ^/catalog/([^/]+)$ # permit access only for the
|
|
# allow $1 # node whose cert matches the path
|
|
#
|
|
# environment:: restrict an ACL to a comma-separated list of environments
|
|
# method:: restrict an ACL to a comma-separated list of HTTP methods
|
|
# auth:: restrict an ACL to an authenticated or unauthenticated request
|
|
# the default when unspecified is to restrict the ACL to authenticated requests
|
|
# (ie exactly as if auth yes was present).
|
|
#
|
|
|
|
### Authenticated paths - these apply only when the client
|
|
### has a valid certificate and is thus authenticated
|
|
|
|
# allow nodes to retrieve their own catalog
|
|
path ~ ^/catalog/([^/]+)$
|
|
method find
|
|
allow $1
|
|
|
|
# allow nodes to retrieve their own node definition
|
|
path ~ ^/node/([^/]+)$
|
|
method find
|
|
allow $1
|
|
|
|
# allow all nodes to access the certificates services
|
|
path /certificate_revocation_list/ca
|
|
method find
|
|
allow *
|
|
|
|
# allow all nodes to store their reports
|
|
path /report
|
|
method save
|
|
allow *
|
|
|
|
# unconditionally allow access to all file services
|
|
# which means in practice that fileserver.conf will
|
|
# still be used
|
|
path /file
|
|
allow *
|
|
|
|
### Unauthenticated ACL, for clients for which the current master doesn't
|
|
### have a valid certificate; we allow authenticated users, too, because
|
|
### there isn't a great harm in letting that request through.
|
|
|
|
# allow access to the master CA
|
|
path /certificate/ca
|
|
auth any
|
|
method find
|
|
allow *
|
|
|
|
path /certificate/
|
|
auth any
|
|
method find
|
|
allow *
|
|
|
|
path /certificate_request
|
|
auth any
|
|
method find, save
|
|
allow *
|
|
|
|
<% if scope.lookupvar('::puppet::listen') -%>
|
|
path /run
|
|
auth any
|
|
method save
|
|
allow <%= if ( @puppetmaster and !@puppetmaster.empty? ) then @puppetmaster else @fqdn end %>
|
|
|
|
<% end -%>
|
|
# this one is not stricly necessary, but it has the merit
|
|
# of showing the default policy, which is deny everything else
|
|
path /
|
|
auth any
|
