diff options
author | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-04-19 17:44:55 +0200 |
---|---|---|
committer | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-04-23 20:52:04 +0200 |
commit | e623f8a32a7363d98843fdb361c717b6198d32de (patch) | |
tree | 76407989542ff83ab0238d144ade8975c60e373b /conf | |
parent | 037a4acfb6c9b498424e278caac88687e3f4cfa1 (diff) | |
download | puppet-e623f8a32a7363d98843fdb361c717b6198d32de.tar.gz puppet-e623f8a32a7363d98843fdb361c717b6198d32de.tar.xz puppet-e623f8a32a7363d98843fdb361c717b6198d32de.zip |
Unify auth/unauthenticated request authorization system
Before this change, unauthenticated REST requests where inconditionnaly
allowed, as long as they were to the certificate terminus.
This could be a security hole, so now the REST requests, authenticated
or unauthenticated are all submitted to the REST authorization
layer.
The default authorizations now contains directives to allow unauthenticated
requests to the various certificate terminus to allow new hosts.
The conf/auth.conf file has been modified to match such defaults.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Diffstat (limited to 'conf')
-rw-r--r-- | conf/auth.conf | 42 |
1 files changed, 34 insertions, 8 deletions
diff --git a/conf/auth.conf b/conf/auth.conf index 784acc980..60d99f272 100644 --- a/conf/auth.conf +++ b/conf/auth.conf @@ -11,6 +11,7 @@ # path /path/to/resource # [environment envlist] # [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] # allow [host|ip|*] # deny [host|ip] # @@ -24,6 +25,7 @@ # path ~ regex # [environment envlist] # [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] # allow [host|ip|*] # deny [host|ip] # @@ -36,19 +38,23 @@ # path ~ ^/path/to/resource # is essentially equivalent to path /path/to/resource # +# environment:: restrict an ACL to a specific set of environments +# method:: restrict an ACL to a specific set of methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# -# allow nodes to drop and find their facts -path /facts -method save,find -allow * +### Authenticated ACL - those applies only when the client +### has a valid certificate and is thus authenticated -# allow all nodes to get their catalogs (ie their configuration) -path /catalog +# allow nodes to retrieve their own catalog (ie their configuration) +path ~ ^/catalog/([^/]+)$ method find -allow * +allow $1 # allow all nodes to access the certificates services -path /certificate +path /certificate_revocation_list/ca method find allow * @@ -63,6 +69,26 @@ allow * path /file allow * +### Unauthenticated ACL, for clients for which the current master doesn't +### have a valid certificate + +# allow access to the master CA +path /certificate/ca +auth no +method find +allow * + +path /certificate/ +auth no +method find +allow * + +path /certificate_request +auth no +method find, save +allow * + # this one is not stricly necessary, but it has the merit # to show the default policy which is deny everything else path / +auth any |