diff options
Diffstat (limited to 'auth.conf')
| -rw-r--r-- | auth.conf | 60 |
1 files changed, 32 insertions, 28 deletions
@@ -7,8 +7,8 @@ # otherwise, the general rules may "steal" requests that should be # governed by the specific rules. # -# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete -# description of auth.conf's behavior. +# See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html +# for a more complete description of auth.conf's behavior. # # Supported syntax: # Each stanza in auth.conf starts with a path to match, followed @@ -37,18 +37,18 @@ # # Examples: # -# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. -# allow * # Allow all authenticated nodes (since auth -# # defaults to `yes`). +# path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). # -# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by -# allow $1 # certname), but not any other node's catalog. +# path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. # -# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to -# auth yes # access the "extra_files" -# allow /^(.+)\.example\.com$/ # mount point; note this must -# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, -# # since it is more specific. +# path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. # # environment:: restrict an ACL to a comma-separated list of environments # method:: restrict an ACL to a comma-separated list of HTTP methods @@ -60,23 +60,22 @@ ### Authenticated ACLs - these rules apply only when the client ### has a valid certificate and is thus authenticated +path /puppet/v3/environments +method find +allow * + # allow nodes to retrieve their own catalog -path ~ ^/catalog/([^/]+)$ +path ~ ^/puppet/v3/catalog/([^/]+)$ method find allow $1 # allow nodes to retrieve their own node definition -path ~ ^/node/([^/]+)$ +path ~ ^/puppet/v3/node/([^/]+)$ method find allow $1 -# allow all nodes to access the certificates services -path /certificate_revocation_list/ca -method find -allow * - # allow all nodes to store their own reports -path ~ ^/report/([^/]+)$ +path ~ ^/puppet/v3/report/([^/]+)$ method save allow $1 @@ -85,7 +84,16 @@ allow $1 # mount points (see fileserver.conf). Note that the `/file` prefix matches # requests to both the file_metadata and file_content paths. See "Examples" # above if you need more granular access control for custom mount points. -path /file +path /puppet/v3/file +allow * + +path /puppet/v3/status +method find +allow * + +# allow all nodes to access the certificates services +path /puppet-ca/v1/certificate_revocation_list/ca +method find allow * ### Unauthenticated ACLs, for clients without valid certificates; authenticated @@ -93,27 +101,23 @@ allow * # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate -path /certificate/ca +path /puppet-ca/v1/certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier -path /certificate/ +path /puppet-ca/v1/certificate/ auth any method find allow * # allow nodes to request a new certificate -path /certificate_request +path /puppet-ca/v1/certificate_request auth any method find, save allow * -path /v2.0/environments -method find -allow * - # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / |