Puppet v4: new auth.conf: 'puppetlabs envronments' rule - HOWTO restrict clients

asked 2017-04-27 18:44:17 -0500

cm01 gravatar image


I'm trying to restrict which 'clients' can access the CA Master.
According to https://ask.puppet.com/question/30415... I can't use the 'csr' rule because new clients are not yet auth'd, so I'll use autosign.conf instead.
What I'd like to at least do is restrict by puppet env, thus

            match-request: {
                path: "/puppet/v3/environments"
                type: path
                method: get

#               query-params: {
#                       environment: [ qa2 ]
#               }
            allow: [ cd, dev, idle, qa, qa2, qaperf2 ]
        deny: "*"
        sort-order: 500
        name: "puppetlabs environments"

However, this still allows my test client (using 'qa1' env) to attempt a catalog run successfully; why ???


edit retag flag offensive close merge delete