Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1808

Correct file endpoint rules in default tk-auth.conf file

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 5.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Systems Engineering
    • Sub-team:
    • Story Points:
      1
    • Sprint:
      Server 2017-06-14
    • Release Notes:
      Security Fix
    • Release Notes Summary:
      Hide
      The default authorization rules in the auth.conf file have been updated to reflect that access to the "delete" HTTP method for endpoints whose paths start with "/puppet/v3/file_" cannot be granted even if an auth.conf rule permits it. This access is always forbidden due to a hard-coded restriction in the Ruby Puppet endpoint code. For clarity, the "file_" rules have been split into different definitions per endpoint in order to reflect the valid methods that each supports, including file_bucket_file, file_content, and file_metadata.
      Show
      The default authorization rules in the auth.conf file have been updated to reflect that access to the "delete" HTTP method for endpoints whose paths start with "/puppet/v3/file_" cannot be granted even if an auth.conf rule permits it. This access is always forbidden due to a hard-coded restriction in the Ruby Puppet endpoint code. For clarity, the "file_" rules have been split into different definitions per endpoint in order to reflect the valid methods that each supports, including file_bucket_file, file_content, and file_metadata.
    • QA Risk Assessment:
      Needs Assessment

      Description

      In doing some fileserver.conf research in PUP-6359, we discovered that the default auth.conf which is delivered with Puppet Server does not accurately reflect some of the file endpoint authorization that Ruby Puppet uses.

      The current "file*" rule is defined as:

      {
           # Allow nodes to access all file services; this is necessary for
           # pluginsync, file serving from modules, and file serving from
           # custom mount points (see fileserver.conf). Note that the `/file`
           # prefix matches requests to file_metadata, file_content, and
           # file_bucket_file paths.
           match-request: {
               path: "/puppet/v3/file"
               type: path
           }
           allow: "*"
           sort-order: 500
           name: "puppetlabs file"
      },
      

      Josh Cooper, however, found the following:

      NOTE: the default auth.conf grants everyone access for all terminus methods (find, search, save, delete), the fileserver is hardcoded to only allow find and search. This means we can't stop calling the fileserver's authorized? method, since it's effectively part of the authz policy. ... I'm thinking we should ... update the default auth.conf to only allow find/search for file_content and file_metadata, and find/search/save for file_bucket_file. Probably don't want to grant delete since file_bucket_file doesn't implement that method.

      In tk-auth terms, a better representation of these rules would probably be:

      {
           match-request: {
               path: "/puppet/v3/file_bucket_file"
               type: path
               method: [get, head, post, put]
           }
           allow: "*"
           sort-order: 500
           name: "puppetlabs file bucket file"
      },
      {
           match-request: {
               path: "/puppet/v3/file_content"
               type: path
               method: [get, post]
           }
           allow: "*"
           sort-order: 500
           name: "puppetlabs file content"
      },
      {
           match-request: {
               path: "/puppet/v3/file_metadata"
               type: path
               method: [get, post]
           }
           allow: "*"
           sort-order: 500
           name: "puppetlabs file metadata"
      },
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jeremy.barlow Jeremy Barlow
                Reporter:
                ruth Ruth Linehan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support