jeffmccune/auth.conf

## auth.conf
# This is an example auth.conf file, which implements the
# defaults used by the puppet master.
#
# The ACLs are evaluated in top-down order. More general
# stanzas should be towards the bottom of the file and more
# specific ones at the top, otherwise the general rules
# take precedence and later rules will not be evaluated.
#
# Supported syntax:
# Each stanza in auth.conf starts with a path to mach, followed
# by optional modifiers, and finally, a series of allow or deny
# directives.
#
# Example Stanza
# ---------------------------------
# path /path/to/resource     # simple prefix match
# # path ~ regex             # alternately, regex match
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|backreference|*]
# deny [host|backreference|*]
# allow_ip [ip|cidr|ip_wildcard|*]
# deny_ip [ip|cidr|ip_wildcard|*]
#
# The path match can either be a simple prefix match or a regular
# expression. `path /file` would match both `/file_metadata` and
# `/file_content`. Regex matches allow the use of backreferences
# in the allow/deny directives.
#
# The regex syntax is the same as for Ruby regex, and captures backreferences
# for use in the `allow` and `deny` lines of that stanza
#
# Examples:
# path ~ ^/path/to/resource    # equivalent to `path /path/to/resource`
# allow *
#
# path ~ ^/catalog/([^/]+)$    # permit access only for the
# allow $1                     # node whose cert matches the path
#
# environment:: restrict an ACL to a comma-separated list of environments
# method:: restrict an ACL to a comma-separated list of HTTP methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#

### Authenticated paths - these apply only when the client
### has a valid certificate and is thus authenticated

# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1

# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1

# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *

# allow all nodes to store their reports
path /report
method save
allow *

# unconditionally allow access to all file services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *

### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.

# allow access to the master CA
path /certificate/ca
auth any
method find
allow *

path /certificate/
auth any
method find
allow *

path /certificate_request
auth any
method find, save
allow *

# this one is not stricly necessary, but it has the merit
# of showing the default policy, which is deny everything else
path /
auth any

## auth.conf.patch
diff --git a/auth.conf b/auth.conf
index 56a87ca..6443af5 100644
--- a/auth.conf
+++ b/auth.conf
@@ -65,12 +65,25 @@ allow *

 # allow all nodes to store their reports
 path /report
 method save
 allow *

+# JJM Lock down the "files" fileserver mount exported from filserver.conf
+# Remember, this file is parsed top to bottom and the first match "wins" so
+# more specific rules need to be above more generalized rules.
+# The following two rules mean the agent must posses a signed certificate and
+# must be connecting from the 192.168.0.0/16 subnet.
+path /file_metadata/files
+auth yes
+allow_ip 192.168.0.0/16
+
+path /file_content/files
+auth yes
+allow_ip 192.168.0.0/16
+
 # unconditionally allow access to all file services
 # which means in practice that fileserver.conf will
 # still be used
 path /file
 allow *
	# This is an example auth.conf file, which implements the
	# defaults used by the puppet master.
	#
	# The ACLs are evaluated in top-down order. More general
	# stanzas should be towards the bottom of the file and more
	# specific ones at the top, otherwise the general rules
	# take precedence and later rules will not be evaluated.
	#
	# Supported syntax:
	# Each stanza in auth.conf starts with a path to mach, followed
	# by optional modifiers, and finally, a series of allow or deny
	# directives.
	#
	# Example Stanza
	# ---------------------------------
	# path /path/to/resource # simple prefix match
	# # path ~ regex # alternately, regex match
	# [environment envlist]
	# [method methodlist]
	# [auth[enthicated] {yes\|no\|on\|off\|any}]
	# allow [host\|backreference\|*]
	# deny [host\|backreference\|*]
	# allow_ip [ip\|cidr\|ip_wildcard\|*]
	# deny_ip [ip\|cidr\|ip_wildcard\|*]
	#
	# The path match can either be a simple prefix match or a regular
	# expression. `path /file` would match both `/file_metadata` and
	# `/file_content`. Regex matches allow the use of backreferences
	# in the allow/deny directives.
	#
	# The regex syntax is the same as for Ruby regex, and captures backreferences
	# for use in the `allow` and `deny` lines of that stanza
	#
	# Examples:
	# path ~ ^/path/to/resource # equivalent to `path /path/to/resource`
	# allow *
	#
	# path ~ ^/catalog/([^/]+)$ # permit access only for the
	# allow $1 # node whose cert matches the path
	#
	# environment:: restrict an ACL to a comma-separated list of environments
	# method:: restrict an ACL to a comma-separated list of HTTP methods
	# auth:: restrict an ACL to an authenticated or unauthenticated request
	# the default when unspecified is to restrict the ACL to authenticated requests
	# (ie exactly as if auth yes was present).
	#

	### Authenticated paths - these apply only when the client
	### has a valid certificate and is thus authenticated

	# allow nodes to retrieve their own catalog
	path ~ ^/catalog/([^/]+)$
	method find
	allow $1

	# allow nodes to retrieve their own node definition
	path ~ ^/node/([^/]+)$
	method find
	allow $1

	# allow all nodes to access the certificates services
	path /certificate_revocation_list/ca
	method find
	allow *

	# allow all nodes to store their reports
	path /report
	method save
	allow *

	# unconditionally allow access to all file services
	# which means in practice that fileserver.conf will
	# still be used
	path /file
	allow *

	### Unauthenticated ACL, for clients for which the current master doesn't
	### have a valid certificate; we allow authenticated users, too, because
	### there isn't a great harm in letting that request through.

	# allow access to the master CA
	path /certificate/ca
	auth any
	method find
	allow *

	path /certificate/
	auth any
	method find
	allow *

	path /certificate_request
	auth any
	method find, save
	allow *

	# this one is not stricly necessary, but it has the merit
	# of showing the default policy, which is deny everything else
	path /
	auth any
	diff --git a/auth.conf b/auth.conf
	index 56a87ca..6443af5 100644
	--- a/auth.conf
	+++ b/auth.conf
	@@ -65,12 +65,25 @@ allow *

	# allow all nodes to store their reports
	path /report
	method save
	allow *

	+# JJM Lock down the "files" fileserver mount exported from filserver.conf
	+# Remember, this file is parsed top to bottom and the first match "wins" so
	+# more specific rules need to be above more generalized rules.
	+# The following two rules mean the agent must posses a signed certificate and
	+# must be connecting from the 192.168.0.0/16 subnet.
	+path /file_metadata/files
	+auth yes
	+allow_ip 192.168.0.0/16
	+
	+path /file_content/files
	+auth yes
	+allow_ip 192.168.0.0/16
	+
	# unconditionally allow access to all file services
	# which means in practice that fileserver.conf will
	# still be used
	path /file
	allow *