"message":"\n--- /etc/puppet/auth.conf\t2013-10-17 02:20:16.000000000 +0100\n+++ /tmp/puppet-file20131017-26365-3jmtyd\t2013-10-17 11:04:20.615490921 +0100\n@@ -1,19 +1,14 @@\n-# This is the default auth.conf file, which implements the default rules\n-# used by the puppet master. (That is, the rules below will still apply\n-# even if this file is deleted.)\n-#\n-# The ACLs are evaluated in top-down order. More specific stanzas should\n-# be towards the top of the file and more general ones at the bottom;\n-# otherwise, the general rules may \"steal\" requests that should be\n-# governed by the specific rules.\n+# This file implements the defaults used by the puppet master.\n #\n-# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete\n-# description of auth.conf's behavior.\n+# The ACLs are evaluated in top-down order. More general\n+# stanzas should be towards the bottom of the file and more\n+# specific ones at the top, otherwise the general rules\n+# take precedence and later rules will not be evaluated.\n #\n # Supported syntax:\n-# Each stanza in auth.conf starts with a path to match, followed\n+# Each stanza in auth.conf starts with a path to mach, followed\n # by optional modifiers, and finally, a series of allow or deny\n-# directives.\n+# directives. \n #\n # Example Stanza\n # ---------------------------------\n@@ -22,33 +17,25 @@\n # [environment envlist]\n # [method methodlist]\n # [auth[enthicated] {yes|no|on|off|any}]\n-# allow [host|backreference|*|regex]\n-# deny [host|backreference|*|regex]\n+# allow [host|backreference|*]\n+# deny [host|backreference|*]\n # allow_ip [ip|cidr|ip_wildcard|*]\n # deny_ip [ip|cidr|ip_wildcard|*]\n #\n-# The path match can either be a simple prefix match or a regular\n+# The path match can either be a simple prefix match or a regular \n # expression. `path /file` would match both `/file_metadata` and\n # `/file_content`. Regex matches allow the use of backreferences\n # in the allow/deny directives.\n-#\n+# \n # The regex syntax is the same as for Ruby regex, and captures backreferences\n # for use in the `allow` and `deny` lines of that stanza\n #\n # Examples:\n+# path ~ ^/path/to/resource # equivalent to `path /path/to/resource`\n+# allow *\n #\n-# path ~ ^/path/to/resource # Equivalent to `path /path/to/resource`.\n-# allow * # Allow all authenticated nodes (since auth\n-# # defaults to `yes`).\n-#\n-# path ~ ^/catalog/([^/]+)$ # Permit nodes to access their own catalog (by\n-# allow $1 # certname), but not any other node's catalog.\n-#\n-# path ~ ^/file_(metadata|content)/extra_files/ # Only allow certain nodes to\n-# auth yes # access the \"extra_files\"\n-# allow /^(.+)\\.example\\.com$/ # mount point; note this must\n-# allow_ip 192.168.100.0/24 # go ABOVE the \"/file\" rule,\n-# # since it is more specific.\n+# path ~ ^/catalog/([^/]+)$ # permit access only for the\n+# allow $1 # node whose cert matches the path\n #\n # environment:: restrict an ACL to a comma-separated list of environments\n # method:: restrict an ACL to a comma-separated list of HTTP methods\n@@ -57,7 +44,7 @@\n # (ie exactly as if auth yes was present).\n #\n\n-### Authenticated ACLs - these rules apply only when the client\n+### Authenticated paths - these apply only when the client\n ### has a valid certificate and is thus authenticated\n\n # allow nodes to retrieve their own catalog\n@@ -75,42 +62,38 @@\n method find\n allow *\n\n-# allow all nodes to store their own reports\n-path ~ ^/report/([^/]+)$\n+# allow all nodes to store their reports\n+path /report\n method save\n-allow $1\n+allow *\n\n-# Allow all nodes to access all file services; this is necessary for\n-# pluginsync, file serving from modules, and file serving from custom\n-# mount points (see fileserver.conf). Note that the `/file` prefix matches\n-# requests to both the file_metadata and file_content paths. See \"Examples\"\n-# above if you need more granular access control for custom mount points.\n+# unconditionally allow access to all file services\n+# which means in practice that fileserver.conf will\n+# still be used\n path /file\n allow *\n\n-### Unauthenticated ACLs, for clients without valid certificates; authenticated\n-### clients can also access these paths, though they rarely need to.\n+### Unauthenticated ACL, for clients for which the current master doesn't\n+### have a valid certificate; we allow authenticated users, too, because\n+### there isn't a great harm in letting that request through.\n\n-# allow access to the CA certificate; unauthenticated nodes need this\n-# in order to validate the puppet master's certificate\n+# allow access to the master CA\n path /certificate/ca\n auth any\n method find\n allow *\n\n-# allow nodes to retrieve the certificate they requested earlier\n path /certificate/\n auth any\n method find\n allow *\n\n-# allow nodes to request a new certificate\n path /certificate_request\n auth any\n method find, save\n allow *\n\n-# deny everything else; this ACL is not strictly necessary, but\n-# illustrates the default policy.\n+# this one is not stricly necessary, but it has the merit\n+# of showing the default policy, which is deny everything else\n path /\n auth any\n"
