]>
Commit | Line | Data |
---|---|---|
c81a7f92 IB |
1 | # This is the default auth.conf file, which implements the default rules |
2 | # used by the puppet master. (That is, the rules below will still apply | |
3 | # even if this file is deleted.) | |
4 | # | |
5 | # The ACLs are evaluated in top-down order. More specific stanzas should | |
6 | # be towards the top of the file and more general ones at the bottom; | |
7 | # otherwise, the general rules may "steal" requests that should be | |
8 | # governed by the specific rules. | |
9 | # | |
10 | # See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html | |
11 | # for a more complete description of auth.conf's behavior. | |
12 | # | |
13 | # Supported syntax: | |
14 | # Each stanza in auth.conf starts with a path to match, followed | |
15 | # by optional modifiers, and finally, a series of allow or deny | |
16 | # directives. | |
17 | # | |
18 | # Example Stanza | |
19 | # --------------------------------- | |
20 | # path /path/to/resource # simple prefix match | |
21 | # # path ~ regex # alternately, regex match | |
22 | # [environment envlist] | |
23 | # [method methodlist] | |
24 | # [auth[enthicated] {yes|no|on|off|any}] | |
25 | # allow [host|backreference|*|regex] | |
26 | # deny [host|backreference|*|regex] | |
27 | # allow_ip [ip|cidr|ip_wildcard|*] | |
28 | # deny_ip [ip|cidr|ip_wildcard|*] | |
29 | # | |
30 | # The path match can either be a simple prefix match or a regular | |
31 | # expression. `path /file` would match both `/file_metadata` and | |
32 | # `/file_content`. Regex matches allow the use of backreferences | |
33 | # in the allow/deny directives. | |
34 | # | |
35 | # The regex syntax is the same as for Ruby regex, and captures backreferences | |
36 | # for use in the `allow` and `deny` lines of that stanza | |
37 | # | |
38 | # Examples: | |
39 | # | |
40 | # path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. | |
41 | # allow * # Allow all authenticated nodes (since auth | |
42 | # # defaults to `yes`). | |
43 | # | |
44 | # path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by | |
45 | # allow $1 # certname), but not any other node's catalog. | |
46 | # | |
47 | # path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to | |
48 | # auth yes # access the "extra_files" | |
49 | # allow /^(.+)\.example\.com$/ # mount point; note this must | |
50 | # allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, | |
51 | # # since it is more specific. | |
52 | # | |
53 | # environment:: restrict an ACL to a comma-separated list of environments | |
54 | # method:: restrict an ACL to a comma-separated list of HTTP methods | |
55 | # auth:: restrict an ACL to an authenticated or unauthenticated request | |
56 | # the default when unspecified is to restrict the ACL to authenticated requests | |
57 | # (ie exactly as if auth yes was present). | |
58 | # | |
59 | ||
60 | ### Authenticated ACLs - these rules apply only when the client | |
61 | ### has a valid certificate and is thus authenticated | |
62 | ||
63 | path /puppet/v3/environments | |
64 | method find | |
65 | allow * | |
66 | ||
67 | # allow nodes to retrieve their own catalog | |
68 | path ~ ^/puppet/v3/catalog/([^/]+)$ | |
69 | method find | |
70 | allow $1 | |
71 | ||
72 | # allow nodes to retrieve their own node definition | |
73 | path ~ ^/puppet/v3/node/([^/]+)$ | |
74 | method find | |
75 | allow $1 | |
76 | ||
77 | # allow all nodes to store their own reports | |
78 | path ~ ^/puppet/v3/report/([^/]+)$ | |
79 | method save | |
80 | allow $1 | |
81 | ||
82 | # Allow all nodes to access all file services; this is necessary for | |
83 | # pluginsync, file serving from modules, and file serving from custom | |
84 | # mount points (see fileserver.conf). Note that the `/file` prefix matches | |
85 | # requests to both the file_metadata and file_content paths. See "Examples" | |
86 | # above if you need more granular access control for custom mount points. | |
87 | path /puppet/v3/file | |
88 | allow * | |
89 | ||
90 | path /puppet/v3/status | |
91 | method find | |
92 | allow * | |
93 | ||
94 | # allow all nodes to access the certificates services | |
95 | path /puppet-ca/v1/certificate_revocation_list/ca | |
96 | method find | |
97 | allow * | |
98 | ||
99 | ### Unauthenticated ACLs, for clients without valid certificates; authenticated | |
100 | ### clients can also access these paths, though they rarely need to. | |
101 | ||
102 | # allow access to the CA certificate; unauthenticated nodes need this | |
103 | # in order to validate the puppet master's certificate | |
104 | path /puppet-ca/v1/certificate/ca | |
105 | auth any | |
106 | method find | |
107 | allow * | |
108 | ||
109 | # allow nodes to retrieve the certificate they requested earlier | |
110 | path /puppet-ca/v1/certificate/ | |
111 | auth any | |
112 | method find | |
113 | allow * | |
114 | ||
115 | # allow nodes to request a new certificate | |
116 | path /puppet-ca/v1/certificate_request | |
117 | auth any | |
118 | method find, save | |
119 | allow * | |
120 | ||
121 | # deny everything else; this ACL is not strictly necessary, but | |
122 | # illustrates the default policy. | |
123 | path / | |
124 | auth any |