Ask Your Question
0

HTTP API ACLs in auth.conf make it impossible to specify access rules for specific nodes

asked 2014-08-05 04:56:21 -0500

Jason C gravatar image

updated 2014-08-05 05:30:35 -0500

As far as I can tell, it is impossible to specify in auth.conf that an agent is allowed a specific level of access.

The problem is that the ACLs match on path and then apply to the allow statement, thus ignoring later statements that applies to the same path. e.g.:

path /
auth any
allow mymachine.mydomain.com

If I put this at the top of auth.conf, it successfully lets mymachine do anything. But then it will then ignore all statements below it because it's already applied a rule for "path /". Thus all other agents will be unable to access anything on the puppet master and will give a 403 error on every request.

But if I put that example ACL near the bottom of auth.conf, mymachine will be as restricted as usual, because restrictive rules above it have been applied to mymachine.

This appears to be a significant limitation in the way ACLs have been implemented, unless I have missed something?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-08-05 05:30:22 -0500

Jason C gravatar image

I think I've found a workaround - by removing the 'not strictly necessary line' at the bottom, i.e.:

path /
allow any

By removing this, and placing:

path /
auth any
allow mymachine.mydomain.com

at the bottom, it seems to work as required. I don't know why.

edit flag offensive delete link more
0

answered 2014-08-07 19:12:18 -0500

Yeah, auth.conf ACLs are awkward, no two ways about it. But I think you did miss something: you can add any node to the "allow" list of any rule. (See here.)

In your case, you'll want to add your node to the final "everything" rule at the bottom of auth.conf:

path /
auth any
allow mymachine.mydomain.com

...but you'll ALSO want to add it to any rules that would match before that final rule. In the default auth.conf, that includes catalog and node:

# allow nodes to retrieve their own catalog, and one box to retrieve everyone's.
path ~ ^/catalog/([^/]+)$
method find
allow $1, mymachine.mydomain.com
# allow nodes to retrieve their own node definition, etc.
path ~ ^/node/([^/]+)$
method find
allow $1, mymachine.mydomain.com

Or, if you wanted to allow one node to do both find and save on the certificate endpoint, you'd have to create a new save rule:

# allow nodes to retrieve the certificate they requested earlier
path /certificate/
auth any
method find
allow *
# Allow one node to push certificates. Note that this rule won't match any find requests. 
path /certificate/
auth any
method save
allow mymachine.mydomain.com

I'll be the first to admit this is awkward, but I'm pretty sure you can do anything with it. It's just that you'll have to split the description of the behavior you want across a bunch of ACLs.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2014-08-05 04:56:21 -0500

Seen: 230 times

Last updated: Aug 05 '14