Mercurial > repos > other > Puppet
comparison auth.conf @ 0:956e484adc12
Initial public release of Puppet configs
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 16 Aug 2014 19:47:38 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:956e484adc12 |
|---|---|
| 1 # This is an example auth.conf file, it mimics the puppetmasterd defaults | |
| 2 # | |
| 3 # The ACL are checked in order of appearance in this file. | |
| 4 # | |
| 5 # Supported syntax: | |
| 6 # This file supports two different syntax depending on how | |
| 7 # you want to express the ACL. | |
| 8 # | |
| 9 # Path syntax (the one used below): | |
| 10 # --------------------------------- | |
| 11 # path /path/to/resource | |
| 12 # [environment envlist] | |
| 13 # [method methodlist] | |
| 14 # [auth[enthicated] {yes|no|on|off|any}] | |
| 15 # allow [host|ip|*] | |
| 16 # deny [host|ip] | |
| 17 # | |
| 18 # The path is matched as a prefix. That is /file match at | |
| 19 # the same time /file_metadat and /file_content. | |
| 20 # | |
| 21 # Regex syntax: | |
| 22 # ------------- | |
| 23 # This one is differenciated from the path one by a '~' | |
| 24 # | |
| 25 # path ~ regex | |
| 26 # [environment envlist] | |
| 27 # [method methodlist] | |
| 28 # [auth[enthicated] {yes|no|on|off|any}] | |
| 29 # allow [host|ip|*] | |
| 30 # deny [host|ip] | |
| 31 # | |
| 32 # The regex syntax is the same as ruby ones. | |
| 33 # | |
| 34 # Ex: | |
| 35 # path ~ .pp$ | |
| 36 # will match every resource ending in .pp (manifests files for instance) | |
| 37 # | |
| 38 # path ~ ^/path/to/resource | |
| 39 # is essentially equivalent to path /path/to/resource | |
| 40 # | |
| 41 # environment:: restrict an ACL to a specific set of environments | |
| 42 # method:: restrict an ACL to a specific set of methods | |
| 43 # auth:: restrict an ACL to an authenticated or unauthenticated request | |
| 44 # the default when unspecified is to restrict the ACL to authenticated requests | |
| 45 # (ie exactly as if auth yes was present). | |
| 46 # | |
| 47 | |
| 48 ### Authenticated ACL - those applies only when the client | |
| 49 ### has a valid certificate and is thus authenticated | |
| 50 | |
| 51 # allow nodes to retrieve their own catalog (ie their configuration) | |
| 52 path ~ ^/catalog/([^/]+)$ | |
| 53 method find | |
| 54 allow $1 | |
| 55 | |
| 56 # allow nodes to retrieve their own node definition | |
| 57 path ~ ^/node/([^/]+)$ | |
| 58 method find | |
| 59 allow $1 | |
| 60 | |
| 61 # allow all nodes to access the certificates services | |
| 62 path /certificate_revocation_list/ca | |
| 63 method find | |
| 64 allow * | |
| 65 | |
| 66 # allow all nodes to store their own reports | |
| 67 path ~ ^/report/([^/]+)$ | |
| 68 method save | |
| 69 allow $1 | |
| 70 | |
| 71 # inconditionnally allow access to all files services | |
| 72 # which means in practice that fileserver.conf will | |
| 73 # still be used | |
| 74 path /file | |
| 75 allow * | |
| 76 | |
| 77 ### Unauthenticated ACL, for clients for which the current master doesn't | |
| 78 ### have a valid certificate; we allow authenticated users, too, because | |
| 79 ### there isn't a great harm in letting that request through. | |
| 80 | |
| 81 # allow access to the master CA | |
| 82 path /certificate/ca | |
| 83 auth any | |
| 84 method find | |
| 85 allow * | |
| 86 | |
| 87 path /certificate/ | |
| 88 auth any | |
| 89 method find | |
| 90 allow * | |
| 91 | |
| 92 path /certificate_request | |
| 93 auth any | |
| 94 method find, save | |
| 95 allow * | |
| 96 | |
| 97 # this one is not stricly necessary, but it has the merit | |
| 98 # to show the default policy which is deny everything else | |
| 99 path / | |
| 100 auth any |