[SERVER-1808] Correct file endpoint rules in default tk-auth.conf file - Puppet Tickets

Details

Type: Task
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: SERVER 5.0.0
Component/s: None
Labels:
None

Template:
customfield_10700 190765
Team:
Systems Engineering
Sub-team:
- Server
Story Points:
1
Sprint:
Server 2017-06-14

Release Notes:
Security Fix
Release Notes Summary:

Hide
The default authorization rules in the auth.conf file have been updated to reflect that access to the "delete" HTTP method for endpoints whose paths start with "/puppet/v3/file_" cannot be granted even if an auth.conf rule permits it. This access is always forbidden due to a hard-coded restriction in the Ruby Puppet endpoint code. For clarity, the "file_" rules have been split into different definitions per endpoint in order to reflect the valid methods that each supports, including file_bucket_file, file_content, and file_metadata.

Show
The default authorization rules in the auth.conf file have been updated to reflect that access to the "delete" HTTP method for endpoints whose paths start with "/puppet/v3/file_" cannot be granted even if an auth.conf rule permits it. This access is always forbidden due to a hard-coded restriction in the Ruby Puppet endpoint code. For clarity, the "file_" rules have been split into different definitions per endpoint in order to reflect the valid methods that each supports, including file_bucket_file, file_content, and file_metadata.

QA Risk Assessment:
Needs Assessment

Description

In doing some fileserver.conf research in ~~PUP-6359~~, we discovered that the default auth.conf which is delivered with Puppet Server does not accurately reflect some of the file endpoint authorization that Ruby Puppet uses.

The current "file*" rule is defined as:

     # Allow nodes to access all file services; this is necessary for

     # pluginsync, file serving from modules, and file serving from

     # custom mount points (see fileserver.conf). Note that the `/file`

     # prefix matches requests to file_metadata, file_content, and

     # file_bucket_file paths.

     match-request: {

         path: "/puppet/v3/file"

         type: path

     allow: "*"

     sort-order: 500

     name: "puppetlabs file"

},

Josh Cooper, however, found the following:

NOTE: the default auth.conf grants everyone access for all terminus methods (find, search, save, delete), the fileserver is hardcoded to only allow find and search. This means we can't stop calling the fileserver's authorized? method, since it's effectively part of the authz policy. ... I'm thinking we should ... update the default auth.conf to only allow find/search for file_content and file_metadata, and find/search/save for file_bucket_file. Probably don't want to grant delete since file_bucket_file doesn't implement that method.

In tk-auth terms, a better representation of these rules would probably be:

     match-request: {

         path: "/puppet/v3/file_bucket_file"

         type: path

         method: [get, head, post, put]

     allow: "*"

     sort-order: 500

     name: "puppetlabs file bucket file"

},

     match-request: {

         path: "/puppet/v3/file_content"

         type: path

         method: [get, post]

     allow: "*"

     sort-order: 500

     name: "puppetlabs file content"

},

     match-request: {

         path: "/puppet/v3/file_metadata"

         type: path

         method: [get, post]

     allow: "*"

     sort-order: 500

     name: "puppetlabs file metadata"

},

Attachments

Issue Links

relates to

PUP-6359 Completely remove allow/deny rules from fileserver.conf syntax

Closed

Activity

People

Assignee:

Jeremy Barlow

Reporter:

Ruth Linehan

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2017/05/12 10:55 AM

Updated:

2017/06/28 12:17 PM

Resolved:

2017/06/13 4:03 PM