| #/* |
| # * Licensed to the Apache Software Foundation (ASF) under one |
| # * or more contributor license agreements. See the NOTICE file |
| # * distributed with this work for additional information |
| # * regarding copyright ownership. The ASF licenses this file |
| # * to you under the Apache License, Version 2.0 (the |
| # * "License"); you may not use this file except in compliance |
| # * with the License. You may obtain a copy of the License at |
| # * |
| # * http://www.apache.org/licenses/LICENSE-2.0 |
| # * |
| # * Unless required by applicable law or agreed to in writing, software |
| # * distributed under the License is distributed on an "AS IS" BASIS, |
| # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # * See the License for the specific language governing permissions and |
| # * limitations under the License. |
| # */ |
| |
| # This is an example auth.conf file, it mimics the puppetmasterd defaults |
| # |
| # The ACL are checked in order of appearance in this file. |
| # |
| # Supported syntax: |
| # This file supports two different syntax depending on how |
| # you want to express the ACL. |
| # |
| # Path syntax (the one used below): |
| # --------------------------------- |
| # path /path/to/resource |
| # [environment envlist] |
| # [method methodlist] |
| # [auth[enthicated] {yes|no|on|off|any}] |
| # allow [host|ip|*] |
| # deny [host|ip] |
| # |
| # The path is matched as a prefix. That is /file match at |
| # the same time /file_metadat and /file_content. |
| # |
| # Regex syntax: |
| # ------------- |
| # This one is differenciated from the path one by a '~' |
| # |
| # path ~ regex |
| # [environment envlist] |
| # [method methodlist] |
| # [auth[enthicated] {yes|no|on|off|any}] |
| # allow [host|ip|*] |
| # deny [host|ip] |
| # |
| # The regex syntax is the same as ruby ones. |
| # |
| # Ex: |
| # path ~ .pp$ |
| # will match every resource ending in .pp (manifests files for instance) |
| # |
| # path ~ ^/path/to/resource |
| # is essentially equivalent to path /path/to/resource |
| # |
| # environment:: restrict an ACL to a specific set of environments |
| # method:: restrict an ACL to a specific set of methods |
| # auth:: restrict an ACL to an authenticated or unauthenticated request |
| # the default when unspecified is to restrict the ACL to authenticated requests |
| # (ie exactly as if auth yes was present). |
| # |
| |
| ### Authenticated ACL - those applies only when the client |
| ### has a valid certificate and is thus authenticated |
| |
| # allow nodes to retrieve their own catalog (ie their configuration) |
| path ~ ^/catalog/([^/]+)$ |
| method find |
| allow $1 |
| |
| # allow all nodes to access the certificates services |
| path /certificate_revocation_list/ca |
| method find |
| allow * |
| |
| # allow all nodes to store their reports |
| path /report |
| method save |
| allow * |
| |
| # inconditionnally allow access to all files services |
| # which means in practice that fileserver.conf will |
| # still be used |
| path /file |
| allow * |
| |
| ### Unauthenticated ACL, for clients for which the current master doesn't |
| ### have a valid certificate |
| |
| # allow access to the master CA |
| path /certificate/ca |
| auth no |
| method find |
| allow * |
| |
| path /certificate/ |
| auth no |
| method find |
| allow * |
| |
| path /certificate_request |
| auth no |
| method find, save |
| allow * |
| |
