diff options
author | Thomas Wiest <twiest@gmail.com> | 2014-10-23 15:35:16 -0400 |
---|---|---|
committer | Thomas Wiest <twiest@gmail.com> | 2014-10-23 15:35:16 -0400 |
commit | cde5cba28b7b0e9386f1c549ecf9141bbcadc64e (patch) | |
tree | 22a39c5589aa3f6a2a01f185041258e4fd69dea6 /roles/atomic_proxy/files/puppet/auth.conf | |
parent | 1057c69acdaf47e2bcd4b395069e3bc1bd9eec88 (diff) | |
parent | 5f9c7eb2d2ad44776d33197857dcd0afe693b5f5 (diff) | |
download | openshift-cde5cba28b7b0e9386f1c549ecf9141bbcadc64e.tar.gz openshift-cde5cba28b7b0e9386f1c549ecf9141bbcadc64e.tar.bz2 openshift-cde5cba28b7b0e9386f1c549ecf9141bbcadc64e.tar.xz openshift-cde5cba28b7b0e9386f1c549ecf9141bbcadc64e.zip |
Merge pull request #11 from twiest/pull
Added atomic aws host to cloud.rb
Diffstat (limited to 'roles/atomic_proxy/files/puppet/auth.conf')
-rw-r--r-- | roles/atomic_proxy/files/puppet/auth.conf | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/roles/atomic_proxy/files/puppet/auth.conf b/roles/atomic_proxy/files/puppet/auth.conf new file mode 100644 index 000000000..b31906bae --- /dev/null +++ b/roles/atomic_proxy/files/puppet/auth.conf @@ -0,0 +1,116 @@ +# This is the default auth.conf file, which implements the default rules +# used by the puppet master. (That is, the rules below will still apply +# even if this file is deleted.) +# +# The ACLs are evaluated in top-down order. More specific stanzas should +# be towards the top of the file and more general ones at the bottom; +# otherwise, the general rules may "steal" requests that should be +# governed by the specific rules. +# +# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete +# description of auth.conf's behavior. +# +# Supported syntax: +# Each stanza in auth.conf starts with a path to match, followed +# by optional modifiers, and finally, a series of allow or deny +# directives. +# +# Example Stanza +# --------------------------------- +# path /path/to/resource # simple prefix match +# # path ~ regex # alternately, regex match +# [environment envlist] +# [method methodlist] +# [auth[enthicated] {yes|no|on|off|any}] +# allow [host|backreference|*|regex] +# deny [host|backreference|*|regex] +# allow_ip [ip|cidr|ip_wildcard|*] +# deny_ip [ip|cidr|ip_wildcard|*] +# +# The path match can either be a simple prefix match or a regular +# expression. `path /file` would match both `/file_metadata` and +# `/file_content`. Regex matches allow the use of backreferences +# in the allow/deny directives. +# +# The regex syntax is the same as for Ruby regex, and captures backreferences +# for use in the `allow` and `deny` lines of that stanza +# +# Examples: +# +# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`. +# allow * # Allow all authenticated nodes (since auth +# # defaults to `yes`). +# +# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by +# allow $1 # certname), but not any other node's catalog. +# +# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to +# auth yes # access the "extra_files" +# allow /^(.+)\.example\.com$/ # mount point; note this must +# allow_ip 192.168.100.0/24 # go ABOVE the "/file" rule, +# # since it is more specific. +# +# environment:: restrict an ACL to a comma-separated list of environments +# method:: restrict an ACL to a comma-separated list of HTTP methods +# auth:: restrict an ACL to an authenticated or unauthenticated request +# the default when unspecified is to restrict the ACL to authenticated requests +# (ie exactly as if auth yes was present). +# + +### Authenticated ACLs - these rules apply only when the client +### has a valid certificate and is thus authenticated + +# allow nodes to retrieve their own catalog +path ~ ^/catalog/([^/]+)$ +method find +allow $1 + +# allow nodes to retrieve their own node definition +path ~ ^/node/([^/]+)$ +method find +allow $1 + +# allow all nodes to access the certificates services +path /certificate_revocation_list/ca +method find +allow * + +# allow all nodes to store their own reports +path ~ ^/report/([^/]+)$ +method save +allow $1 + +# Allow all nodes to access all file services; this is necessary for +# pluginsync, file serving from modules, and file serving from custom +# mount points (see fileserver.conf). Note that the `/file` prefix matches +# requests to both the file_metadata and file_content paths. See "Examples" +# above if you need more granular access control for custom mount points. +path /file +allow * + +### Unauthenticated ACLs, for clients without valid certificates; authenticated +### clients can also access these paths, though they rarely need to. + +# allow access to the CA certificate; unauthenticated nodes need this +# in order to validate the puppet master's certificate +path /certificate/ca +auth any +method find +allow * + +# allow nodes to retrieve the certificate they requested earlier +path /certificate/ +auth any +method find +allow * + +# allow nodes to request a new certificate +path /certificate_request +auth any +method find, save +allow * + +# deny everything else; this ACL is not strictly necessary, but +# illustrates the default policy. +path / +auth any |