projects / perso / Immae / Projets / Puppet.git / blame
| Commit | Line | Data |
|---|---|---|
| c81a7f92 IB |
1 | # This is the default auth.conf file, which implements the default rules |
| 2 | # used by the puppet master. (That is, the rules below will still apply | |
| 3 | # even if this file is deleted.) | |
| 4 | # | |
| 5 | # The ACLs are evaluated in top-down order. More specific stanzas should | |
| 6 | # be towards the top of the file and more general ones at the bottom; | |
| 7 | # otherwise, the general rules may "steal" requests that should be | |
| 8 | # governed by the specific rules. | |
| 9 | # | |
| 10 | # See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html | |
| 11 | # for a more complete description of auth.conf's behavior. | |
| 12 | # | |
| 13 | # Supported syntax: | |
| 14 | # Each stanza in auth.conf starts with a path to match, followed | |
| 15 | # by optional modifiers, and finally, a series of allow or deny | |
| 16 | # directives. | |
| 17 | # | |
| 18 | # Example Stanza | |
| 19 | # --------------------------------- | |
| 20 | # path /path/to/resource # simple prefix match | |
| 21 | # # path ~ regex # alternately, regex match | |
| 22 | # [environment envlist] | |
| 23 | # [method methodlist] | |
| 24 | # [auth[enthicated] {yes|no|on|off|any}] | |
| 25 | # allow [host|backreference|*|regex] | |
| 26 | # deny [host|backreference|*|regex] | |
| 27 | # allow_ip [ip|cidr|ip_wildcard|*] | |
| 28 | # deny_ip [ip|cidr|ip_wildcard|*] | |
| 29 | # | |
| 30 | # The path match can either be a simple prefix match or a regular | |
| 31 | # expression. `path /file` would match both `/file_metadata` and | |
| 32 | # `/file_content`. Regex matches allow the use of backreferences | |
| 33 | # in the allow/deny directives. | |
| 34 | # | |
| 35 | # The regex syntax is the same as for Ruby regex, and captures backreferences | |
| 36 | # for use in the `allow` and `deny` lines of that stanza | |
| 37 | # | |
| 38 | # Examples: | |
| 39 | # | |
| 40 | # path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`. | |
| 41 | # allow * # Allow all authenticated nodes (since auth | |
| 42 | # # defaults to `yes`). | |
| 43 | # | |
| 44 | # path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by | |
| 45 | # allow $1 # certname), but not any other node's catalog. | |
| 46 | # | |
| 47 | # path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to | |
| 48 | # auth yes # access the "extra_files" | |
| 49 | # allow /^(.+)\.example\.com$/ # mount point; note this must | |
| 50 | # allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, | |
| 51 | # # since it is more specific. | |
| 52 | # | |
| 53 | # environment:: restrict an ACL to a comma-separated list of environments | |
| 54 | # method:: restrict an ACL to a comma-separated list of HTTP methods | |
| 55 | # auth:: restrict an ACL to an authenticated or unauthenticated request | |
| 56 | # the default when unspecified is to restrict the ACL to authenticated requests | |
| 57 | # (ie exactly as if auth yes was present). | |
| 58 | # | |
| 59 | ||
| 60 | ### Authenticated ACLs - these rules apply only when the client | |
| 61 | ### has a valid certificate and is thus authenticated | |
| 62 | ||
| 63 | path /puppet/v3/environments | |
| 64 | method find | |
| 65 | allow * | |
| 66 | ||
| 67 | # allow nodes to retrieve their own catalog | |
| 68 | path ~ ^/puppet/v3/catalog/([^/]+)$ | |
| 69 | method find | |
| 70 | allow $1 | |
| 71 | ||
| 72 | # allow nodes to retrieve their own node definition | |
| 73 | path ~ ^/puppet/v3/node/([^/]+)$ | |
| 74 | method find | |
| 75 | allow $1 | |
| 76 | ||
| 77 | # allow all nodes to store their own reports | |
| 78 | path ~ ^/puppet/v3/report/([^/]+)$ | |
| 79 | method save | |
| 80 | allow $1 | |
| 81 | ||
| 82 | # Allow all nodes to access all file services; this is necessary for | |
| 83 | # pluginsync, file serving from modules, and file serving from custom | |
| 84 | # mount points (see fileserver.conf). Note that the `/file` prefix matches | |
| 85 | # requests to both the file_metadata and file_content paths. See "Examples" | |
| 86 | # above if you need more granular access control for custom mount points. | |
| 87 | path /puppet/v3/file | |
| 88 | allow * | |
| 89 | ||
| 90 | path /puppet/v3/status | |
| 91 | method find | |
| 92 | allow * | |
| 93 | ||
| 94 | # allow all nodes to access the certificates services | |
| 95 | path /puppet-ca/v1/certificate_revocation_list/ca | |
| 96 | method find | |
| 97 | allow * | |
| 98 | ||
| 99 | ### Unauthenticated ACLs, for clients without valid certificates; authenticated | |
| 100 | ### clients can also access these paths, though they rarely need to. | |
| 101 | ||
| 102 | # allow access to the CA certificate; unauthenticated nodes need this | |
| 103 | # in order to validate the puppet master's certificate | |
| 104 | path /puppet-ca/v1/certificate/ca | |
| 105 | auth any | |
| 106 | method find | |
| 107 | allow * | |
| 108 | ||
| 109 | # allow nodes to retrieve the certificate they requested earlier | |
| 110 | path /puppet-ca/v1/certificate/ | |
| 111 | auth any | |
| 112 | method find | |
| 113 | allow * | |
| 114 | ||
| 115 | # allow nodes to request a new certificate | |
| 116 | path /puppet-ca/v1/certificate_request | |
| 117 | auth any | |
| 118 | method find, save | |
| 119 | allow * | |
| 120 | ||
| 121 | # deny everything else; this ACL is not strictly necessary, but | |
| 122 | # illustrates the default policy. | |
| 123 | path / | |
| 124 | auth any |