jeffmccune · October 24, 2012 18:34
diff --git a/auth.conf b/auth.conf
 # This is an example auth.conf file, which implements the
 # defaults used by the puppet master.
 #
 # The ACLs are evaluated in top-down order. More general
 # stanzas should be towards the bottom of the file and more
 # specific ones at the top, otherwise the general rules
 # take precedence and later rules will not be evaluated.
 #
 # Supported syntax:
 # Each stanza in auth.conf starts with a path to mach, followed
 # by optional modifiers, and finally, a series of allow or deny
 # directives. 
 #
 # Example Stanza
 # ---------------------------------
 # path /path/to/resource     # simple prefix match
 # # path ~ regex             # alternately, regex match
 # [environment envlist]
 # [method methodlist]
 # [auth[enthicated] {yes|no|on|off|any}]
 # allow [host|backreference|*]
 # deny [host|backreference|*]
 # allow_ip [ip|cidr|ip_wildcard|*]
 # deny_ip [ip|cidr|ip_wildcard|*]
 #
 # The path match can either be a simple prefix match or a regular 
 # expression. `path /file` would match both `/file_metadata` and
 # `/file_content`. Regex matches allow the use of backreferences
 # in the allow/deny directives.
 # 
 # The regex syntax is the same as for Ruby regex, and captures backreferences
 # for use in the `allow` and `deny` lines of that stanza
 #
 # Examples:
 # path ~ ^/path/to/resource    # equivalent to `path /path/to/resource`
 # allow *
 #
 # path ~ ^/catalog/([^/]+)$    # permit access only for the
 # allow $1                     # node whose cert matches the path
 #
 # environment:: restrict an ACL to a comma-separated list of environments
 # method:: restrict an ACL to a comma-separated list of HTTP methods
 # auth:: restrict an ACL to an authenticated or unauthenticated request
 # the default when unspecified is to restrict the ACL to authenticated requests
 # (ie exactly as if auth yes was present).
 #

 ### Authenticated paths - these apply only when the client
 ### has a valid certificate and is thus authenticated

 # allow nodes to retrieve their own catalog
 path ~ ^/catalog/([^/]+)$
 method find
 allow $1

 # allow nodes to retrieve their own node definition
 path ~ ^/node/([^/]+)$
 method find
 allow $1

 # allow all nodes to access the certificates services
 path /certificate_revocation_list/ca
 method find
 allow *

 # allow all nodes to store their reports
 path /report
 method save
 allow *

 # unconditionally allow access to all file services
 # which means in practice that fileserver.conf will
 # still be used
 path /file
 allow *

 ### Unauthenticated ACL, for clients for which the current master doesn't
 ### have a valid certificate; we allow authenticated users, too, because
 ### there isn't a great harm in letting that request through.

 # allow access to the master CA
 path /certificate/ca
 auth any
 method find
 allow *

 path /certificate/
 auth any
 method find
 allow *

 path /certificate_request
 auth any
 method find, save
 allow *

 # this one is not stricly necessary, but it has the merit
 # of showing the default policy, which is deny everything else
 path /
 auth any
diff --git a/auth.conf.patch b/auth.conf.patch
 diff --git a/auth.conf b/auth.conf
 index 56a87ca..6443af5 100644
 --- a/auth.conf
 +++ b/auth.conf
 @@ -65,12 +65,25 @@ allow *
 
 # allow all nodes to store their reports
 path /report
 method save
 allow *
 
 +# JJM Lock down the "files" fileserver mount exported from filserver.conf
 +# Remember, this file is parsed top to bottom and the first match "wins" so
 +# more specific rules need to be above more generalized rules.
 +# The following two rules mean the agent must posses a signed certificate and
 +# must be connecting from the 192.168.0.0/16 subnet.
 +path /file_metadata/files
 +auth yes
 +allow_ip 192.168.0.0/16
 +
 +path /file_content/files
 +auth yes
 +allow_ip 192.168.0.0/16
 +
 # unconditionally allow access to all file services
 # which means in practice that fileserver.conf will
 # still be used
 path /file
 allow *
	# This is an example auth.conf file, which implements the
	# defaults used by the puppet master.
	#
	# The ACLs are evaluated in top-down order. More general
	# stanzas should be towards the bottom of the file and more
	# specific ones at the top, otherwise the general rules
	# take precedence and later rules will not be evaluated.
	#
	# Supported syntax:
	# Each stanza in auth.conf starts with a path to mach, followed
	# by optional modifiers, and finally, a series of allow or deny
	# directives.
	#
	# Example Stanza
	# ---------------------------------
	# path /path/to/resource # simple prefix match
	# # path ~ regex # alternately, regex match
	# [environment envlist]
	# [method methodlist]
	# [auth[enthicated] {yes\|no\|on\|off\|any}]
	# allow [host\|backreference\|*]
	# deny [host\|backreference\|*]
	# allow_ip [ip\|cidr\|ip_wildcard\|*]
	# deny_ip [ip\|cidr\|ip_wildcard\|*]
	#
	# The path match can either be a simple prefix match or a regular
	# expression. `path /file` would match both `/file_metadata` and
	# `/file_content`. Regex matches allow the use of backreferences
	# in the allow/deny directives.
	#
	# The regex syntax is the same as for Ruby regex, and captures backreferences
	# for use in the `allow` and `deny` lines of that stanza
	#
	# Examples:
	# path ~ ^/path/to/resource # equivalent to `path /path/to/resource`
	# allow *
	#
	# path ~ ^/catalog/([^/]+)$ # permit access only for the
	# allow $1 # node whose cert matches the path
	#
	# environment:: restrict an ACL to a comma-separated list of environments
	# method:: restrict an ACL to a comma-separated list of HTTP methods
	# auth:: restrict an ACL to an authenticated or unauthenticated request
	# the default when unspecified is to restrict the ACL to authenticated requests
	# (ie exactly as if auth yes was present).
	#

	### Authenticated paths - these apply only when the client
	### has a valid certificate and is thus authenticated

	# allow nodes to retrieve their own catalog
	path ~ ^/catalog/([^/]+)$
	method find
	allow $1

	# allow nodes to retrieve their own node definition
	path ~ ^/node/([^/]+)$
	method find
	allow $1

	# allow all nodes to access the certificates services
	path /certificate_revocation_list/ca
	method find
	allow *

	# allow all nodes to store their reports
	path /report
	method save
	allow *

	# unconditionally allow access to all file services
	# which means in practice that fileserver.conf will
	# still be used
	path /file
	allow *

	### Unauthenticated ACL, for clients for which the current master doesn't
	### have a valid certificate; we allow authenticated users, too, because
	### there isn't a great harm in letting that request through.

	# allow access to the master CA
	path /certificate/ca
	auth any
	method find
	allow *

	path /certificate/
	auth any
	method find
	allow *

	path /certificate_request
	auth any
	method find, save
	allow *

	# this one is not stricly necessary, but it has the merit
	# of showing the default policy, which is deny everything else
	path /
	auth any
	diff --git a/auth.conf b/auth.conf
	index 56a87ca..6443af5 100644
	--- a/auth.conf
	+++ b/auth.conf
	@@ -65,12 +65,25 @@ allow *

	# allow all nodes to store their reports
	path /report
	method save
	allow *

	+# JJM Lock down the "files" fileserver mount exported from filserver.conf
	+# Remember, this file is parsed top to bottom and the first match "wins" so
	+# more specific rules need to be above more generalized rules.
	+# The following two rules mean the agent must posses a signed certificate and
	+# must be connecting from the 192.168.0.0/16 subnet.
	+path /file_metadata/files
	+auth yes
	+allow_ip 192.168.0.0/16
	+
	+path /file_content/files
	+auth yes
	+allow_ip 192.168.0.0/16
	+
	# unconditionally allow access to all file services
	# which means in practice that fileserver.conf will
	# still be used
	path /file
	allow *