1 # This is the default auth.conf file, which implements the default rules
2 # used by the puppet master. (That is, the rules below will still apply
3 # even if this file is deleted.)
5 # The ACLs are evaluated in top-down order. More specific stanzas should
6 # be towards the top of the file and more general ones at the bottom;
7 # otherwise, the general rules may "steal" requests that should be
8 # governed by the specific rules.
10 # See https://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html
11 # for a more complete description of auth.conf's behavior.
14 # Each stanza in auth.conf starts with a path to match, followed
15 # by optional modifiers, and finally, a series of allow or deny
19 # ---------------------------------
20 # path /path/to/resource # simple prefix match
21 # # path ~ regex # alternately, regex match
22 # [environment envlist]
24 # [auth[enthicated] {yes|no|on|off|any}]
25 # allow [host|backreference|*|regex]
26 # deny [host|backreference|*|regex]
27 # allow_ip [ip|cidr|ip_wildcard|*]
28 # deny_ip [ip|cidr|ip_wildcard|*]
30 # The path match can either be a simple prefix match or a regular
31 # expression. `path /file` would match both `/file_metadata` and
32 # `/file_content`. Regex matches allow the use of backreferences
33 # in the allow/deny directives.
35 # The regex syntax is the same as for Ruby regex, and captures backreferences
36 # for use in the `allow` and `deny` lines of that stanza
40 # path ~ ^/puppet/v3/path/to/resource # Equivalent to `path /puppet/v3/path/to/resource`.
41 # allow * # Allow all authenticated nodes (since auth
42 # # defaults to `yes`).
44 # path ~ ^/puppet/v3/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
45 # allow $1 # certname), but not any other node's catalog.
47 # path ~ ^/puppet/v3/file_(metadata|content)/extra_files/ # Only allow certain nodes to
48 # auth yes # access the "extra_files"
49 # allow /^(.+)\.example\.com$/ # mount point; note this must
50 # allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
51 # # since it is more specific.
53 # environment:: restrict an ACL to a comma-separated list of environments
54 # method:: restrict an ACL to a comma-separated list of HTTP methods
55 # auth:: restrict an ACL to an authenticated or unauthenticated request
56 # the default when unspecified is to restrict the ACL to authenticated requests
57 # (ie exactly as if auth yes was present).
60 ### Authenticated ACLs - these rules apply only when the client
61 ### has a valid certificate and is thus authenticated
63 path /puppet/v3/environments
67 # allow nodes to retrieve their own catalog
68 path ~ ^/puppet/v3/catalog/([^/]+)$
72 # allow nodes to retrieve their own node definition
73 path ~ ^/puppet/v3/node/([^/]+)$
77 # allow all nodes to store their own reports
78 path ~ ^/puppet/v3/report/([^/]+)$
82 # Allow all nodes to access all file services; this is necessary for
83 # pluginsync, file serving from modules, and file serving from custom
84 # mount points (see fileserver.conf). Note that the `/file` prefix matches
85 # requests to both the file_metadata and file_content paths. See "Examples"
86 # above if you need more granular access control for custom mount points.
90 path /puppet/v3/status
94 # allow all nodes to access the certificates services
95 path /puppet-ca/v1/certificate_revocation_list/ca
99 ### Unauthenticated ACLs, for clients without valid certificates; authenticated
100 ### clients can also access these paths, though they rarely need to.
102 # allow access to the CA certificate; unauthenticated nodes need this
103 # in order to validate the puppet master's certificate
104 path /puppet-ca/v1/certificate/ca
109 # allow nodes to retrieve the certificate they requested earlier
110 path /puppet-ca/v1/certificate/
115 # allow nodes to request a new certificate
116 path /puppet-ca/v1/certificate_request
121 # deny everything else; this ACL is not strictly necessary, but
122 # illustrates the default policy.
projects / perso / Immae / Projets / Puppet.git / blob