Details
-
Task
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
Description
In doing some fileserver.conf research in PUP-6359, we discovered that the default auth.conf which is delivered with Puppet Server does not accurately reflect some of the file endpoint authorization that Ruby Puppet uses.
The current "file*" rule is defined as:
{
|
# Allow nodes to access all file services; this is necessary for
|
# pluginsync, file serving from modules, and file serving from
|
# custom mount points (see fileserver.conf). Note that the `/file`
|
# prefix matches requests to file_metadata, file_content, and
|
# file_bucket_file paths.
|
match-request: {
|
path: "/puppet/v3/file"
|
type: path
|
}
|
allow: "*"
|
sort-order: 500
|
name: "puppetlabs file"
|
},
|
josh, however, found the following:
NOTE: the default auth.conf grants everyone access for all terminus methods (find, search, save, delete), the fileserver is hardcoded to only allow find and search. This means we can't stop calling the fileserver's authorized? method, since it's effectively part of the authz policy. ... I'm thinking we should ... update the default auth.conf to only allow find/search for file_content and file_metadata, and find/search/save for file_bucket_file. Probably don't want to grant delete since file_bucket_file doesn't implement that method.
In tk-auth terms, a better representation of these rules would probably be:
{
|
match-request: {
|
path: "/puppet/v3/file_bucket_file"
|
type: path
|
method: [get, head, post, put]
|
}
|
allow: "*"
|
sort-order: 500
|
name: "puppetlabs file bucket file"
|
},
|
{
|
match-request: {
|
path: "/puppet/v3/file_content"
|
type: path
|
method: [get, post]
|
}
|
allow: "*"
|
sort-order: 500
|
name: "puppetlabs file content"
|
},
|
{
|
match-request: {
|
path: "/puppet/v3/file_metadata"
|
type: path
|
method: [get, post]
|
}
|
allow: "*"
|
sort-order: 500
|
name: "puppetlabs file metadata"
|
},
|
Attachments
Issue Links
- relates to
-
PUP-6359 Completely remove allow/deny rules from fileserver.conf syntax
-
- Closed
-