ghoneycutt · May 6, 2014 14:49
diff --git a/auth.conf b/auth.conf
 # This is the default auth.conf file, which implements the default rules
 # used by the puppet master. (That is, the rules below will still apply
 # even if this file is deleted.)
 #
 # The ACLs are evaluated in top-down order. More specific stanzas should
 # be towards the top of the file and more general ones at the bottom;
 # otherwise, the general rules may "steal" requests that should be
 # governed by the specific rules.
 #
 # See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
 # description of auth.conf's behavior.
 #
 # Supported syntax:
 # Each stanza in auth.conf starts with a path to match, followed
 # by optional modifiers, and finally, a series of allow or deny
 # directives.
 #
 # Example Stanza
 # ---------------------------------
 # path /path/to/resource     # simple prefix match
 # # path ~ regex             # alternately, regex match
 # [environment envlist]
 # [method methodlist]
 # [auth[enthicated] {yes|no|on|off|any}]
 # allow [host|backreference|*|regex]
 # deny [host|backreference|*|regex]
 # allow_ip [ip|cidr|ip_wildcard|*]
 # deny_ip [ip|cidr|ip_wildcard|*]
 #
 # The path match can either be a simple prefix match or a regular
 # expression. `path /file` would match both `/file_metadata` and
 # `/file_content`. Regex matches allow the use of backreferences
 # in the allow/deny directives.
 #
 # The regex syntax is the same as for Ruby regex, and captures backreferences
 # for use in the `allow` and `deny` lines of that stanza
 #
 # Examples:
 #
 # path ~ ^/path/to/resource    # Equivalent to `path /path/to/resource`.
 # allow *                      # Allow all authenticated nodes (since auth
 #                              # defaults to `yes`).
 #
 # path ~ ^/catalog/([^/]+)$    # Permit nodes to access their own catalog (by
 # allow $1                     # certname), but not any other node's catalog.
 #
 # path ~ ^/file_(metadata|content)/extra_files/  # Only allow certain nodes to
 # auth yes                                       # access the "extra_files"
 # allow /^(.+)\.example\.com$/                   # mount point; note this must
 # allow_ip 192.168.100.0/24                      # go ABOVE the "/file" rule,
 #                                                # since it is more specific.
 #
 # environment:: restrict an ACL to a comma-separated list of environments
 # method:: restrict an ACL to a comma-separated list of HTTP methods
 # auth:: restrict an ACL to an authenticated or unauthenticated request
 # the default when unspecified is to restrict the ACL to authenticated requests
 # (ie exactly as if auth yes was present).
 #

 ### Authenticated ACLs - these rules apply only when the client
 ### has a valid certificate and is thus authenticated

 # allow nodes to retrieve their own catalog
 path ~ ^/catalog/([^/]+)$
 method find
 allow $1

 # allow nodes to retrieve their own node definition
 path ~ ^/node/([^/]+)$
 method find
 allow $1

 # allow all nodes to access the certificates services
 path /certificate_revocation_list/ca
 method find
 allow *

 # allow all nodes to store their own reports
 path ~ ^/report/([^/]+)$
 method save
 allow $1

 # Allow all nodes to access all file services; this is necessary for
 # pluginsync, file serving from modules, and file serving from custom
 # mount points (see fileserver.conf). Note that the `/file` prefix matches
 # requests to both the file_metadata and file_content paths. See "Examples"
 # above if you need more granular access control for custom mount points.
 path /file
 allow *

 ### Unauthenticated ACLs, for clients without valid certificates; authenticated
 ### clients can also access these paths, though they rarely need to.

 # allow access to the CA certificate; unauthenticated nodes need this
 # in order to validate the puppet master's certificate
 path /certificate/ca
 auth any
 method find
 allow *

 # allow nodes to retrieve the certificate they requested earlier
 path /certificate/
 auth any
 method find
 allow *

 # allow nodes to request a new certificate
 path /certificate_request
 auth any
 method find, save
 allow *

 # Allows nodes to clean up certificates of any node. This is being triggered
 # by an install script which will remove the old certificate, since a new
 # one is generated with the new installation.
 path /certificate_status/
 auth any
 method find, save, destroy
 allow *

 path /v2.0/environments
 method find
 allow *

 # deny everything else; this ACL is not strictly necessary, but
 # illustrates the default policy.
 path /
 auth any
	# This is the default auth.conf file, which implements the default rules
	# used by the puppet master. (That is, the rules below will still apply
	# even if this file is deleted.)
	#
	# The ACLs are evaluated in top-down order. More specific stanzas should
	# be towards the top of the file and more general ones at the bottom;
	# otherwise, the general rules may "steal" requests that should be
	# governed by the specific rules.
	#
	# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
	# description of auth.conf's behavior.
	#
	# Supported syntax:
	# Each stanza in auth.conf starts with a path to match, followed
	# by optional modifiers, and finally, a series of allow or deny
	# directives.
	#
	# Example Stanza
	# ---------------------------------
	# path /path/to/resource # simple prefix match
	# # path ~ regex # alternately, regex match
	# [environment envlist]
	# [method methodlist]
	# [auth[enthicated] {yes\|no\|on\|off\|any}]
	# allow [host\|backreference\|*\|regex]
	# deny [host\|backreference\|*\|regex]
	# allow_ip [ip\|cidr\|ip_wildcard\|*]
	# deny_ip [ip\|cidr\|ip_wildcard\|*]
	#
	# The path match can either be a simple prefix match or a regular
	# expression. `path /file` would match both `/file_metadata` and
	# `/file_content`. Regex matches allow the use of backreferences
	# in the allow/deny directives.
	#
	# The regex syntax is the same as for Ruby regex, and captures backreferences
	# for use in the `allow` and `deny` lines of that stanza
	#
	# Examples:
	#
	# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.
	# allow * # Allow all authenticated nodes (since auth
	# # defaults to `yes`).
	#
	# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by
	# allow $1 # certname), but not any other node's catalog.
	#
	# path ~ ^/file_(metadata\|content)/extra_files/ # Only allow certain nodes to
	# auth yes # access the "extra_files"
	# allow /^(.+)\.example\.com$/ # mount point; note this must
	# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule,
	# # since it is more specific.
	#
	# environment:: restrict an ACL to a comma-separated list of environments
	# method:: restrict an ACL to a comma-separated list of HTTP methods
	# auth:: restrict an ACL to an authenticated or unauthenticated request
	# the default when unspecified is to restrict the ACL to authenticated requests
	# (ie exactly as if auth yes was present).
	#

	### Authenticated ACLs - these rules apply only when the client
	### has a valid certificate and is thus authenticated

	# allow nodes to retrieve their own catalog
	path ~ ^/catalog/([^/]+)$
	method find
	allow $1

	# allow nodes to retrieve their own node definition
	path ~ ^/node/([^/]+)$
	method find
	allow $1

	# allow all nodes to access the certificates services
	path /certificate_revocation_list/ca
	method find
	allow *

	# allow all nodes to store their own reports
	path ~ ^/report/([^/]+)$
	method save
	allow $1

	# Allow all nodes to access all file services; this is necessary for
	# pluginsync, file serving from modules, and file serving from custom
	# mount points (see fileserver.conf). Note that the `/file` prefix matches
	# requests to both the file_metadata and file_content paths. See "Examples"
	# above if you need more granular access control for custom mount points.
	path /file
	allow *

	### Unauthenticated ACLs, for clients without valid certificates; authenticated
	### clients can also access these paths, though they rarely need to.

	# allow access to the CA certificate; unauthenticated nodes need this
	# in order to validate the puppet master's certificate
	path /certificate/ca
	auth any
	method find
	allow *

	# allow nodes to retrieve the certificate they requested earlier
	path /certificate/
	auth any
	method find
	allow *

	# allow nodes to request a new certificate
	path /certificate_request
	auth any
	method find, save
	allow *

	# Allows nodes to clean up certificates of any node. This is being triggered
	# by an install script which will remove the old certificate, since a new
	# one is generated with the new installation.
	path /certificate_status/
	auth any
	method find, save, destroy
	allow *

	path /v2.0/environments
	method find
	allow *

	# deny everything else; this ACL is not strictly necessary, but
	# illustrates the default policy.
	path /
	auth any