|
#
|
|
# Managed by Puppet
|
|
#
|
|
authorization: {
|
|
version: 1
|
|
allow-header-cert-info: false
|
|
rules: [
|
|
{
|
|
# Allow nodes to retrieve their own catalog
|
|
match-request: {
|
|
path: "^/puppet/v3/catalog/([^/]+)$"
|
|
type: regex
|
|
method: [get, post]
|
|
}
|
|
allow: ["$1"]
|
|
sort-order: 500
|
|
name: "puppetlabs v3 catalog from agents"
|
|
},
|
|
{
|
|
# Allow nodes to retrieve the certificate they requested earlier
|
|
match-request: {
|
|
path: "/puppet-ca/v1/certificate/"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs certificate"
|
|
},
|
|
{
|
|
# Allow all nodes to access the certificate revocation list
|
|
match-request: {
|
|
path: "/puppet-ca/v1/certificate_revocation_list/ca"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs crl"
|
|
},
|
|
{
|
|
# Allow nodes to request a new certificate
|
|
match-request: {
|
|
path: "/puppet-ca/v1/certificate_request"
|
|
type: path
|
|
method: [get, put]
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs csr"
|
|
},
|
|
{
|
|
# Allow the CA CLI to access the certificate_status endpoint
|
|
match-request: {
|
|
path: "/puppet-ca/v1/certificate_status"
|
|
type: path
|
|
method: [get, put, delete]
|
|
}
|
|
allow: [
|
|
"localhost",
|
|
"<puppetca_fqdn>",
|
|
{
|
|
extensions: {
|
|
pp_cli_auth: "true"
|
|
}
|
|
}
|
|
]
|
|
sort-order: 500
|
|
name: "puppetlabs cert status"
|
|
},
|
|
{
|
|
# Allow the CA CLI to access the certificate_statuses endpoint
|
|
match-request: {
|
|
path: "/puppet-ca/v1/certificate_statuses"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow: [
|
|
"localhost",
|
|
"<puppetca_fqdn>",
|
|
{
|
|
extensions: {
|
|
pp_cli_auth: "true"
|
|
}
|
|
}
|
|
]
|
|
sort-order: 500
|
|
name: "puppetlabs cert statuses"
|
|
},
|
|
{
|
|
# Allow unauthenticated access to the status service endpoint
|
|
match-request: {
|
|
path: "/status/v1/services"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs status service - full"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/status/v1/simple"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs status service - simple"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/puppet-admin-api/v1/environment-cache"
|
|
type: path
|
|
method: delete
|
|
}
|
|
allow: [
|
|
"localhost",
|
|
"<puppetca_fqdn>",
|
|
]
|
|
sort-order: 200
|
|
name: "environment-cache"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/puppet-admin-api/v1/jruby-pool"
|
|
type: path
|
|
method: delete
|
|
}
|
|
allow: [
|
|
"localhost",
|
|
"<puppetca_fqdn>",
|
|
]
|
|
sort-order: 200
|
|
name: "jruby-pool"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/puppet/v3/environments"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppetlabs environments"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/puppet/v3/environment_classes"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppetlabs environment classes"
|
|
},
|
|
{
|
|
# Allow nodes to access all file_bucket_files. Note that access for
|
|
# the 'delete' method is forbidden by Puppet regardless of the
|
|
# configuration of this rule.
|
|
match-request: {
|
|
path: "/puppet/v3/file_bucket_file"
|
|
type: path
|
|
method: [get, head, post, put]
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppetlabs file bucket file"
|
|
},
|
|
{
|
|
# Allow nodes to access all file_content. Note that access for the
|
|
# 'delete' method is forbidden by Puppet regardless of the
|
|
# configuration of this rule.
|
|
match-request: {
|
|
path: "/puppet/v3/file_content"
|
|
type: path
|
|
method: [get, post]
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppetlabs file content"
|
|
},
|
|
{
|
|
# Allow nodes to access all file_metadata. Note that access for the
|
|
# 'delete' method is forbidden by Puppet regardless of the
|
|
# configuration of this rule.
|
|
match-request: {
|
|
path: "/puppet/v3/file_metadata"
|
|
type: path
|
|
method: [get, post]
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppetlabs file metadata"
|
|
},
|
|
{
|
|
# Allow nodes to retrieve only their own node definition
|
|
match-request: {
|
|
path: "^/puppet/v3/node/([^/]+)$"
|
|
type: regex
|
|
method: get
|
|
}
|
|
allow: "$1"
|
|
sort-order: 500
|
|
name: "puppetlabs node"
|
|
},
|
|
{
|
|
# Allow nodes to store only their own reports
|
|
match-request: {
|
|
path: "^/puppet/v3/report/([^/]+)$"
|
|
type: regex
|
|
method: put
|
|
}
|
|
allow: "$1"
|
|
sort-order: 500
|
|
name: "puppetlabs report"
|
|
},
|
|
{
|
|
# Allow nodes to update their own facts
|
|
match-request: {
|
|
path: "^/puppet/v3/facts/([^/]+)$"
|
|
type: regex
|
|
method: put
|
|
}
|
|
allow: "$1"
|
|
sort-order: 500
|
|
name: "puppetlabs facts"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/puppet/v3/status"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs status"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/puppet/v3/static_file_content"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppetlabs static file content"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/puppet/v3/tasks"
|
|
type: path
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppet tasks information"
|
|
},
|
|
{
|
|
# Allow all users access to the experimental endpoint
|
|
# which currently only provides a dashboard web ui.
|
|
match-request: {
|
|
path: "/puppet/experimental"
|
|
type: path
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs experimental"
|
|
},
|
|
{
|
|
# Deny everything else. This ACL is not strictly
|
|
# necessary, but illustrates the default policy
|
|
match-request: {
|
|
path: "/"
|
|
type: path
|
|
}
|
|
deny: "*"
|
|
sort-order: 999
|
|
name: "puppetlabs deny all"
|
|
}
|
|
]
|
|
}
|
