diff options
| author | Pieter van de Bruggen <pieter@puppetlabs.com> | 2011-05-04 16:44:48 -0700 |
|---|---|---|
| committer | Pieter van de Bruggen <pieter@puppetlabs.com> | 2011-05-04 16:44:48 -0700 |
| commit | 5076c3794dcbfd708d9169d720b8fc5a41998a14 (patch) | |
| tree | 84a9ae74e7a9334d9b407da2a412c81388b4fd20 | |
| parent | d4df6cc2274e119fb2a67bca0912667b0fef7866 (diff) | |
| download | puppet-5076c3794dcbfd708d9169d720b8fc5a41998a14.tar.gz puppet-5076c3794dcbfd708d9169d720b8fc5a41998a14.tar.xz puppet-5076c3794dcbfd708d9169d720b8fc5a41998a14.zip | |
(#7179) Modify default ACL for /node/<name>.
By default, it is useful to permit an individual node to query
information about itself, and there is no good reason to reject
this by default.
Paired-With: Nick Lewis
| -rw-r--r-- | conf/auth.conf | 5 | ||||
| -rw-r--r-- | lib/puppet/network/rest_authconfig.rb | 1 | ||||
| -rwxr-xr-x | spec/unit/network/rest_authconfig_spec.rb | 13 |
3 files changed, 7 insertions, 12 deletions
diff --git a/conf/auth.conf b/conf/auth.conf index 431e4b205..cb202a989 100644 --- a/conf/auth.conf +++ b/conf/auth.conf @@ -53,6 +53,11 @@ path ~ ^/catalog/([^/]+)$ method find allow $1 +# allow nodes to retrieve their own node definition +path ~ ^/node/([^/]+)$ +method find +allow $1 + # allow all nodes to access the certificates services path /certificate_revocation_list/ca method find diff --git a/lib/puppet/network/rest_authconfig.rb b/lib/puppet/network/rest_authconfig.rb index cf76978fe..dfe8f85c4 100644 --- a/lib/puppet/network/rest_authconfig.rb +++ b/lib/puppet/network/rest_authconfig.rb @@ -8,6 +8,7 @@ module Puppet DEFAULT_ACL = [ { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true }, + { :acl => "~ ^\/node\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true }, # this one will allow all file access, and thus delegate # to fileserver.conf { :acl => "/file" }, diff --git a/spec/unit/network/rest_authconfig_spec.rb b/spec/unit/network/rest_authconfig_spec.rb index 499a14b78..e1403997f 100755 --- a/spec/unit/network/rest_authconfig_spec.rb +++ b/spec/unit/network/rest_authconfig_spec.rb @@ -5,18 +5,7 @@ require 'puppet/network/rest_authconfig' describe Puppet::Network::RestAuthConfig do - DEFAULT_ACL = [ - { :acl => "~ ^\/catalog\/([^\/]+)$", :method => :find, :allow => '$1', :authenticated => true }, - # this one will allow all file access, and thus delegate - # to fileserver.conf - { :acl => "/file" }, - { :acl => "/certificate_revocation_list/ca", :method => :find, :authenticated => true }, - { :acl => "/report", :method => :save, :authenticated => true }, - { :acl => "/certificate/ca", :method => :find, :authenticated => false }, - { :acl => "/certificate/", :method => :find, :authenticated => false }, - { :acl => "/certificate_request", :method => [:find, :save], :authenticated => false }, - { :acl => "/status", :method => [:find], :authenticated => true }, - ] + DEFAULT_ACL = Puppet::Network::RestAuthConfig::DEFAULT_ACL before :each do FileTest.stubs(:exists?).returns(true) |