summaryrefslogtreecommitdiff
path: root/puppetserver/conf.d/auth.conf
diff options
context:
space:
mode:
Diffstat (limited to 'puppetserver/conf.d/auth.conf')
-rw-r--r--puppetserver/conf.d/auth.conf263
1 files changed, 263 insertions, 0 deletions
diff --git a/puppetserver/conf.d/auth.conf b/puppetserver/conf.d/auth.conf
new file mode 100644
index 0000000..5059f0a
--- /dev/null
+++ b/puppetserver/conf.d/auth.conf
@@ -0,0 +1,263 @@
+authorization: {
+ version: 1
+ rules: [
+ {
+ # Allow nodes to retrieve their own catalog
+ match-request: {
+ path: "^/puppet/v3/catalog/([^/]+)$"
+ type: regex
+ method: [get, post]
+ }
+ allow: "$1"
+ sort-order: 500
+ name: "puppetlabs v3 catalog from agents"
+ },
+ {
+ # Allow services to retrieve catalogs on behalf of others
+ match-request: {
+ path: "^/puppet/v4/catalog/?$"
+ type: regex
+ method: post
+ }
+ deny: "*"
+ sort-order: 500
+ name: "puppetlabs v4 catalog for services"
+ },
+ {
+ # Allow nodes to retrieve the certificate they requested earlier
+ match-request: {
+ path: "/puppet-ca/v1/certificate/"
+ type: path
+ method: get
+ }
+ allow-unauthenticated: true
+ sort-order: 500
+ name: "puppetlabs certificate"
+ },
+ {
+ # Allow all nodes to access the certificate revocation list
+ match-request: {
+ path: "/puppet-ca/v1/certificate_revocation_list/ca"
+ type: path
+ method: get
+ }
+ allow-unauthenticated: true
+ sort-order: 500
+ name: "puppetlabs crl"
+ },
+ {
+ # Allow nodes to request a new certificate
+ match-request: {
+ path: "/puppet-ca/v1/certificate_request"
+ type: path
+ method: [get, put]
+ }
+ allow-unauthenticated: true
+ sort-order: 500
+ name: "puppetlabs csr"
+ },
+ {
+ # Allow the CA CLI to access the certificate_status endpoint
+ match-request: {
+ path: "/puppet-ca/v1/certificate_status"
+ type: path
+ method: [get, put, delete]
+ }
+ allow: {
+ extensions: {
+ pp_cli_auth: "true"
+ }
+ }
+ sort-order: 500
+ name: "puppetlabs cert status"
+ },
+ {
+ match-request: {
+ path: "^/puppet-ca/v1/certificate_revocation_list$"
+ type: regex
+ method: put
+ }
+ allow: {
+ extensions: {
+ pp_cli_auth: "true"
+ }
+ }
+ sort-order: 500
+ name: "puppetlabs CRL update"
+ },
+ {
+ # Allow the CA CLI to access the certificate_statuses endpoint
+ match-request: {
+ path: "/puppet-ca/v1/certificate_statuses"
+ type: path
+ method: get
+ }
+ allow: {
+ extensions: {
+ pp_cli_auth: "true"
+ }
+ }
+ sort-order: 500
+ name: "puppetlabs cert statuses"
+ },
+ {
+ # Allow authenticated access to the CA expirations endpoint
+ match-request: {
+ path: "/puppet-ca/v1/expirations"
+ type: path
+ method: get
+ }
+ allow: "*"
+ sort-order: 500
+ name: "puppetlabs CA cert and CRL expirations"
+ },
+ {
+ # Allow the CA CLI to access the certificate clean endpoint
+ match-request: {
+ path: "/puppet-ca/v1/clean"
+ type: path
+ method: put
+ }
+ allow: {
+ extensions: {
+ pp_cli_auth: "true"
+ }
+ }
+ sort-order: 500
+ name: "puppetlabs cert clean"
+ },
+ {
+ # Allow unauthenticated access to the status service endpoint
+ match-request: {
+ path: "/status/v1/services"
+ type: path
+ method: get
+ }
+ allow-unauthenticated: true
+ sort-order: 500
+ name: "puppetlabs status service - full"
+ },
+ {
+ match-request: {
+ path: "/status/v1/simple"
+ type: path
+ method: get
+ }
+ allow-unauthenticated: true
+ sort-order: 500
+ name: "puppetlabs status service - simple"
+ },
+ {
+ match-request: {
+ path: "/puppet/v3/environments"
+ type: path
+ method: get
+ }
+ allow: "*"
+ sort-order: 500
+ name: "puppetlabs environments"
+ },
+ {
+ # Allow nodes to access all file_bucket_files. Note that access for
+ # the 'delete' method is forbidden by Puppet regardless of the
+ # configuration of this rule.
+ match-request: {
+ path: "/puppet/v3/file_bucket_file"
+ type: path
+ method: [get, head, post, put]
+ }
+ allow: "*"
+ sort-order: 500
+ name: "puppetlabs file bucket file"
+ },
+ {
+ # Allow nodes to access all file_content. Note that access for the
+ # 'delete' method is forbidden by Puppet regardless of the
+ # configuration of this rule.
+ match-request: {
+ path: "/puppet/v3/file_content"
+ type: path
+ method: [get, post]
+ }
+ allow: "*"
+ sort-order: 500
+ name: "puppetlabs file content"
+ },
+ {
+ # Allow nodes to access all file_metadata. Note that access for the
+ # 'delete' method is forbidden by Puppet regardless of the
+ # configuration of this rule.
+ match-request: {
+ path: "/puppet/v3/file_metadata"
+ type: path
+ method: [get, post]
+ }
+ allow: "*"
+ sort-order: 500
+ name: "puppetlabs file metadata"
+ },
+ {
+ # Allow nodes to retrieve only their own node definition
+ match-request: {
+ path: "^/puppet/v3/node/([^/]+)$"
+ type: regex
+ method: get
+ }
+ allow: "$1"
+ sort-order: 500
+ name: "puppetlabs node"
+ },
+ {
+ # Allow nodes to store only their own reports
+ match-request: {
+ path: "^/puppet/v3/report/([^/]+)$"
+ type: regex
+ method: put
+ }
+ allow: "$1"
+ sort-order: 500
+ name: "puppetlabs report"
+ },
+ {
+ # Allow nodes to update their own facts
+ match-request: {
+ path: "^/puppet/v3/facts/([^/]+)$"
+ type: regex
+ method: put
+ }
+ allow: "$1"
+ sort-order: 500
+ name: "puppetlabs facts"
+ },
+ {
+ match-request: {
+ path: "/puppet/v3/static_file_content"
+ type: path
+ method: get
+ }
+ allow: "*"
+ sort-order: 500
+ name: "puppetlabs static file content"
+ },
+ {
+ match-request: {
+ path: "/puppet/v3/tasks"
+ type: path
+ }
+ allow: "*"
+ sort-order: 500
+ name: "puppet tasks information"
+ },
+ {
+ # Deny everything else. This ACL is not strictly
+ # necessary, but illustrates the default policy
+ match-request: {
+ path: "/"
+ type: path
+ }
+ deny: "*"
+ sort-order: 999
+ name: "puppetlabs deny all"
+ }
+ ]
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 01:14:30 +0000