| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| # This is the default auth.conf file, which implements the default rules |
| # used by the puppet master. (That is, the rules below will still apply |
| # even if this file is deleted.) |
| # |
| # The ACLs are evaluated in top-down order. More specific stanzas should |
| # be towards the top of the file and more general ones at the bottom; |
| # otherwise, the general rules may "steal" requests that should be |
| # governed by the specific rules. |
| # |
| # See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete |
| # description of auth.conf's behavior. |
| # |
| # Supported syntax: |
| # Each stanza in auth.conf starts with a path to match, followed |
| # by optional modifiers, and finally, a series of allow or deny |
| # directives. |
| # |
| # Example Stanza |
| # --------------------------------- |
| # path /path/to/resource # simple prefix match |
| # # path ~ regex # alternately, regex match |
| # [environment envlist] |
| # [method methodlist] |
| # [auth[enthicated] {yes|no|on|off|any}] |
| # allow [host|backreference|*|regex] |
| # deny [host|backreference|*|regex] |
| # allow_ip [ip|cidr|ip_wildcard|*] |
| # deny_ip [ip|cidr|ip_wildcard|*] |
| # |
| # The path match can either be a simple prefix match or a regular |
| # expression. `path /file` would match both `/file_metadata` and |
| # `/file_content`. Regex matches allow the use of backreferences |
| # in the allow/deny directives. |
| # |
| # The regex syntax is the same as for Ruby regex, and captures backreferences |
| # for use in the `allow` and `deny` lines of that stanza |
| # |
| # Examples: |
| # |
| # path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. |
| # allow * # Allow all authenticated nodes (since auth |
| # # defaults to `yes`). |
| # |
| # path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by |
| # allow $1 # certname), but not any other node's catalog. |
| # |
| # path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to |
| # auth yes # access the "extra_files" |
| # allow /^(.+)\.example\.com$/ # mount point; note this must |
| # allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, |
| # # since it is more specific. |
| # |
| # environment:: restrict an ACL to a comma-separated list of environments |
| # method:: restrict an ACL to a comma-separated list of HTTP methods |
| # auth:: restrict an ACL to an authenticated or unauthenticated request |
| # the default when unspecified is to restrict the ACL to authenticated requests |
| # (ie exactly as if auth yes was present). |
| # |
| |
| ### Authenticated ACLs - these rules apply only when the client |
| ### has a valid certificate and is thus authenticated |
| |
| # allow nodes to retrieve their own catalog |
| path ~ ^/catalog/([^/]+)$ |
| method find |
| allow $1 |
| |
| # allow nodes to retrieve their own node definition |
| path ~ ^/node/([^/]+)$ |
| method find |
| allow $1 |
| |
| # allow all nodes to access the certificates services |
| path /certificate_revocation_list/ca |
| method find |
| allow * |
| |
| # allow all nodes to store their own reports |
| path ~ ^/report/([^/]+)$ |
| method save |
| allow $1 |
| |
| # Allow all nodes to access all file services; this is necessary for |
| # pluginsync, file serving from modules, and file serving from custom |
| # mount points (see fileserver.conf). Note that the `/file` prefix matches |
| # requests to both the file_metadata and file_content paths. See "Examples" |
| # above if you need more granular access control for custom mount points. |
| path /file |
| allow * |
| |
| ### Unauthenticated ACLs, for clients without valid certificates; authenticated |
| ### clients can also access these paths, though they rarely need to. |
| |
| # allow access to the CA certificate; unauthenticated nodes need this |
| # in order to validate the puppet master's certificate |
| path /certificate/ca |
| auth any |
| method find |
| allow * |
| |
| # allow nodes to retrieve the certificate they requested earlier |
| path /certificate/ |
| auth any |
| method find |
| allow * |
| |
| # allow nodes to request a new certificate |
| path /certificate_request |
| auth any |
| method find, save |
| allow * |
| |
| # deny everything else; this ACL is not strictly necessary, but |
| # illustrates the default policy. |
| path / |
| auth any |