[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetmaster: Merge labs and production auth.conf templates

Mon, 08 Aug 2016 19:49:34 -0700 

Alex Monk has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/303742

Change subject: puppetmaster: Merge labs and production auth.conf templates
......................................................................

puppetmaster: Merge labs and production auth.conf templates

They're very similar.

Change-Id: Ice7b1071102bbd62a35ac9b29b64732fe65ec406
---
M modules/puppetmaster/manifests/init.pp
D modules/puppetmaster/templates/auth-labs-master.conf.erb
R modules/puppetmaster/templates/auth-master.conf.erb
3 files changed, 16 insertions(+), 136 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/42/303742/1

diff --git a/modules/puppetmaster/manifests/init.pp 
b/modules/puppetmaster/manifests/init.pp
index 7df6a57..a5efe1e 100644
--- a/modules/puppetmaster/manifests/init.pp
+++ b/modules/puppetmaster/manifests/init.pp
@@ -123,19 +123,13 @@
         require_package('ruby-httpclient')
 
         $horizon_host = hiera('labs_horizon_host')
-        file { '/etc/puppet/auth.conf':
-            owner   => 'root',
-            group   => 'root',
-            mode    => '0444',
-            content => template('puppetmaster/auth-labs-master.conf.erb'),
-        }
-    } else {
-        file { '/etc/puppet/auth.conf':
-            owner   => 'root',
-            group   => 'root',
-            mode    => '0444',
-            content => template('puppetmaster/auth-prod-master.conf.erb'),
-        }
+    }
+
+    file { '/etc/puppet/auth.conf':
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0444',
+        content => template('puppetmaster/auth-master.conf.erb'),
     }
 
     class { '::puppetmaster::hiera':
diff --git a/modules/puppetmaster/templates/auth-labs-master.conf.erb 
b/modules/puppetmaster/templates/auth-labs-master.conf.erb
deleted file mode 100644
index 9d31e2f..0000000
--- a/modules/puppetmaster/templates/auth-labs-master.conf.erb
+++ /dev/null
@@ -1,123 +0,0 @@
-# This file is managed by Puppet!
-#
-# This is the default auth.conf file, which implements the default rules
-# used by the puppet master. (That is, the rules below will still apply
-# even if this file is deleted.)
-#
-# The ACLs are evaluated in top-down order. More specific stanzas should
-# be towards the top of the file and more general ones at the bottom;
-# otherwise, the general rules may "steal" requests that should be
-# governed by the specific rules.
-#
-# See http://docs.puppetlabs.com/guides/rest_auth_conf.html for a more complete
-# description of auth.conf's behavior.
-#
-# Supported syntax:
-# Each stanza in auth.conf starts with a path to match, followed
-# by optional modifiers, and finally, a series of allow or deny
-# directives.
-#
-# Example Stanza
-# ---------------------------------
-# path /path/to/resource     # simple prefix match
-# # path ~ regex             # alternately, regex match
-# [environment envlist]
-# [method methodlist]
-# [auth[enthicated] {yes|no|on|off|any}]
-# allow [host|backreference|*|regex]
-# deny [host|backreference|*|regex]
-# allow_ip [ip|cidr|ip_wildcard|*]
-# deny_ip [ip|cidr|ip_wildcard|*]
-#
-# The path match can either be a simple prefix match or a regular
-# expression. `path /file` would match both `/file_metadata` and
-# `/file_content`. Regex matches allow the use of backreferences
-# in the allow/deny directives.
-#
-# The regex syntax is the same as for Ruby regex, and captures backreferences
-# for use in the `allow` and `deny` lines of that stanza
-#
-# Examples:
-#
-# path ~ ^/path/to/resource    # Equivalent to `path /path/to/resource`.
-# allow *                      # Allow all authenticated nodes (since auth
-#                              # defaults to `yes`).
-#
-# path ~ ^/catalog/([^/]+)$    # Permit nodes to access their own catalog (by
-# allow $1                     # certname), but not any other node's catalog.
-#
-# path ~ ^/file_(metadata|content)/extra_files/  # Only allow certain nodes to
-# auth yes                                       # access the "extra_files"
-# allow /^(.+)\.example\.com$/                   # mount point; note this must
-# allow_ip 192.168.100.0/24                      # go ABOVE the "/file" rule,
-#                                                # since it is more specific.
-#
-# environment:: restrict an ACL to a comma-separated list of environments
-# method:: restrict an ACL to a comma-separated list of HTTP methods
-# auth:: restrict an ACL to an authenticated or unauthenticated request
-# the default when unspecified is to restrict the ACL to authenticated requests
-# (ie exactly as if auth yes was present).
-#
-
-### Authenticated ACLs - these rules apply only when the client
-### has a valid certificate and is thus authenticated
-
-# allow nodes to retrieve their own catalog
-path ~ ^/catalog/([^/]+)$
-method find
-allow $1
-
-# allow nodes to retrieve their own node definition
-path ~ ^/node/([^/]+)$
-method find
-allow $1
-
-# allow all nodes to access the certificates services
-path /certificate_revocation_list/ca
-method find
-allow *
-
-# allow all nodes to store their own reports
-path ~ ^/report/([^/]+)$
-method save
-allow $1
-
-# Allow all nodes to access all file services; this is necessary for
-# pluginsync, file serving from modules, and file serving from custom
-# mount points (see fileserver.conf). Note that the `/file` prefix matches
-# requests to both the file_metadata and file_content paths. See "Examples"
-# above if you need more granular access control for custom mount points.
-path /file
-allow *
-
-### Unauthenticated ACLs, for clients without valid certificates; authenticated
-### clients can also access these paths, though they rarely need to.
-
-# allow access to the CA certificate; unauthenticated nodes need this
-# in order to validate the puppet master's certificate
-path /certificate/ca
-auth any
-method find
-allow *
-
-# allow nodes to retrieve the certificate they requested earlier
-path /certificate/
-auth any
-method find
-allow *
-
-# allow nodes to request a new certificate
-path /certificate_request
-auth any
-method find, save
-allow *
-
-# Allow Horizon to ask the puppetmaster about available roles
-path /resource_type
-auth any
-allow <%= @horizon_host %>
-
-# deny everything else; this ACL is not strictly necessary, but
-# illustrates the default policy.
-path /
-auth any
diff --git a/modules/puppetmaster/templates/auth-prod-master.conf.erb 
b/modules/puppetmaster/templates/auth-master.conf.erb
similarity index 95%
rename from modules/puppetmaster/templates/auth-prod-master.conf.erb
rename to modules/puppetmaster/templates/auth-master.conf.erb
index b1723f0..dfc3e48 100644
--- a/modules/puppetmaster/templates/auth-prod-master.conf.erb
+++ b/modules/puppetmaster/templates/auth-master.conf.erb
@@ -67,7 +67,9 @@
 path ~ ^/catalog/([^/]+)$
 method find
 allow $1
+<% if @is_labs_master != true %>
 allow rhodium.eqiad.wmnet
+<% end %>
 
 # allow nodes to retrieve their own node definition
 path ~ ^/node/([^/]+)$
@@ -114,6 +116,13 @@
 method find, save
 allow *
 
+<% if @is_labs_master %>
+# Allow Horizon to ask the puppetmaster about available roles
+path /resource_type
+auth any
+allow <%= @horizon_host %>
+<% end %>
+
 # deny everything else; this ACL is not strictly necessary, but
 # illustrates the default policy.
 path /

-- 
To view, visit https://gerrit.wikimedia.org/r/303742
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ice7b1071102bbd62a35ac9b29b64732fe65ec406
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to