# HTTP API ACLs in auth.conf make it impossible to specify access rules for specific nodes

As far as I can tell, it is impossible to specify in auth.conf that an agent is allowed a specific level of access.

The problem is that the ACLs match on path and then apply to the allow statement, thus ignoring later statements that applies to the same path. e.g.:

path /
auth any
allow mymachine.mydomain.com


If I put this at the top of auth.conf, it successfully lets mymachine do anything. But then it will then ignore all statements below it because it's already applied a rule for "path /". Thus all other agents will be unable to access anything on the puppet master and will give a 403 error on every request.

But if I put that example ACL near the bottom of auth.conf, mymachine will be as restricted as usual, because restrictive rules above it have been applied to mymachine.

This appears to be a significant limitation in the way ACLs have been implemented, unless I have missed something?

edit retag close merge delete

Sort by » oldest newest most voted

Yeah, auth.conf ACLs are awkward, no two ways about it. But I think you did miss something: you can add any node to the "allow" list of any rule. (See here.)

In your case, you'll want to add your node to the final "everything" rule at the bottom of auth.conf:

path /
auth any
allow mymachine.mydomain.com


...but you'll ALSO want to add it to any rules that would match before that final rule. In the default auth.conf, that includes catalog and node:

# allow nodes to retrieve their own catalog, and one box to retrieve everyone's.
path ~ ^/catalog/([^/]+)$method find allow$1, mymachine.mydomain.com
# allow nodes to retrieve their own node definition, etc.
path ~ ^/node/([^/]+)$method find allow$1, mymachine.mydomain.com


Or, if you wanted to allow one node to do both find and save on the certificate endpoint, you'd have to create a new save rule:

# allow nodes to retrieve the certificate they requested earlier
path /certificate/
auth any
method find
allow *
# Allow one node to push certificates. Note that this rule won't match any find requests.
path /certificate/
auth any
method save
allow mymachine.mydomain.com


I'll be the first to admit this is awkward, but I'm pretty sure you can do anything with it. It's just that you'll have to split the description of the behavior you want across a bunch of ACLs.

more

I think I've found a workaround - by removing the 'not strictly necessary line' at the bottom, i.e.:

path /
allow any


By removing this, and placing:

path /
auth any
allow mymachine.mydomain.com


at the bottom, it seems to work as required. I don't know why.

more