HTTP API ACLs in auth.conf make it impossible to specify access rules for specific nodes
As far as I can tell, it is impossible to specify in auth.conf that an agent is allowed a specific level of access.
The problem is that the ACLs match on path and then apply to the allow statement, thus ignoring later statements that applies to the same path. e.g.:
path / auth any allow mymachine.mydomain.com
If I put this at the top of auth.conf, it successfully lets mymachine do anything. But then it will then ignore all statements below it because it's already applied a rule for "path /". Thus all other agents will be unable to access anything on the puppet master and will give a 403 error on every request.
But if I put that example ACL near the bottom of auth.conf, mymachine will be as restricted as usual, because restrictive rules above it have been applied to mymachine.
This appears to be a significant limitation in the way ACLs have been implemented, unless I have missed something?