forked from puppetlabs/puppet
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(#17448/#17449/#18045) Update fileserver.conf and auth.conf examples
These files still referred to the regime whereby access control lived in both files and auth.conf usually delegated to fileserver.conf, except when it didn't. In the meantime, we've improved auth.conf and partially broken fileserver.conf, and in conversations with the core team, it's become clear that we don't necessarily WANT to fix fileserver.conf, especially if not doing so will lead to better and more centralized access control. Unfortunately, an awkward period seems unavoidable. This commit attempts to describe what users SHOULD do and give enough hints that it will be easy to do so, at the cost of a certain windiness. NOTE ESPECIALLY that we're now using the word "deprecated," as the warnings-and-prefs-based deprecation plan outlined at #18045 has been accepted.
- Loading branch information
1 parent
a622f0e
commit 1fbb4dc
Showing
5 changed files
with
201 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,41 @@ | ||
# $Id$ | ||
# fileserver.conf | ||
|
||
[dist] | ||
path /dist | ||
allow *.puppetlabs.com | ||
# Puppet automatically serves PLUGINS and FILES FROM MODULES: anything in | ||
# <module name>/files/<file name> is available to authenticated nodes at | ||
# puppet:///modules/<module name>/<file name>. You do not need to edit this | ||
# file to enable this. | ||
|
||
[plugins] | ||
path /var/lib/puppet/plugins | ||
allow *.puppetlabs.com | ||
# MOUNT POINTS | ||
|
||
[facts] | ||
path /var/lib/puppet/facts | ||
allow *.puppetlabs.com | ||
# If you need to serve files from a directory that is NOT in a module, | ||
# you must create a static mount point in this file: | ||
# | ||
# [extra_files] | ||
# path /etc/puppet/files | ||
# allow * | ||
# | ||
# In the example above, anything in /etc/puppet/files/<file name> would be | ||
# available to authenticated nodes at puppet:///extra_files/<file name>. | ||
# | ||
# Mount points may also use three placeholders as part of their path: | ||
# | ||
# %H - The node's certname. | ||
# %h - The portion of the node's certname before the first dot. (Usually the | ||
# node's short hostname.) | ||
# %d - The portion of the node's certname after the first dot. (Usually the | ||
# node's domain name.) | ||
|
||
# PERMISSIONS | ||
|
||
# Every static mount point should have an `allow *` line; setting more | ||
# granular permissions in this file is deprecated. Instead, you can | ||
# control file access in auth.conf by controlling the | ||
# /file_metadata/<mount point> and /file_content/<mount point> paths: | ||
# | ||
# path ~ ^/file_(metadata|content)/extra_files/ | ||
# auth yes | ||
# allow /^(.+)\.example\.com$/ | ||
# allow_ip 192.168.100.0/24 | ||
# | ||
# If added to auth.conf BEFORE the "path /file" rule, the rule above | ||
# will add stricter restrictions to the extra_files mount point. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,41 @@ | ||
# This file consists of arbitrarily named sections/modules | ||
# defining where files are served from and to whom | ||
# fileserver.conf | ||
|
||
# Define a section 'files' | ||
# Adapt the allow/deny settings to your needs. Order | ||
# for allow/deny does not matter, allow always takes precedence | ||
# over deny | ||
#[files] | ||
# path /etc/puppet/files | ||
# allow *.example.com | ||
# deny *.evil.example.com | ||
# allow 192.168.0.0/24 | ||
# Puppet automatically serves PLUGINS and FILES FROM MODULES: anything in | ||
# <module name>/files/<file name> is available to authenticated nodes at | ||
# puppet:///modules/<module name>/<file name>. You do not need to edit this | ||
# file to enable this. | ||
|
||
#[plugins] | ||
# allow *.example.com | ||
# deny *.evil.example.com | ||
# allow 192.168.0.0/24 | ||
# MOUNT POINTS | ||
|
||
# If you need to serve files from a directory that is NOT in a module, | ||
# you must create a static mount point in this file: | ||
# | ||
# [extra_files] | ||
# path /etc/puppet/files | ||
# allow * | ||
# | ||
# In the example above, anything in /etc/puppet/files/<file name> would be | ||
# available to authenticated nodes at puppet:///extra_files/<file name>. | ||
# | ||
# Mount points may also use three placeholders as part of their path: | ||
# | ||
# %H - The node's certname. | ||
# %h - The portion of the node's certname before the first dot. (Usually the | ||
# node's short hostname.) | ||
# %d - The portion of the node's certname after the first dot. (Usually the | ||
# node's domain name.) | ||
|
||
# PERMISSIONS | ||
|
||
# Every static mount point should have an `allow *` line; setting more | ||
# granular permissions in this file is deprecated. Instead, you can | ||
# control file access in auth.conf by controlling the | ||
# /file_metadata/<mount point> and /file_content/<mount point> paths: | ||
# | ||
# path ~ ^/file_(metadata|content)/extra_files/ | ||
# auth yes | ||
# allow /^(.+)\.example\.com$/ | ||
# allow_ip 192.168.100.0/24 | ||
# | ||
# If added to auth.conf BEFORE the "path /file" rule, the rule above | ||
# will add stricter restrictions to the extra_files mount point. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,41 @@ | ||
# This file consists of arbitrarily named sections/modules | ||
# defining where files are served from and to whom | ||
|
||
# Define a section 'files' | ||
# Adapt the allow/deny settings to your needs. Order | ||
# for allow/deny does not matter, allow always takes precedence | ||
# over deny | ||
[files] | ||
path /var/lib/puppet/files | ||
# allow *.example.com | ||
# deny *.evil.example.com | ||
# allow 192.168.0.0/24 | ||
# fileserver.conf | ||
|
||
# Puppet automatically serves PLUGINS and FILES FROM MODULES: anything in | ||
# <module name>/files/<file name> is available to authenticated nodes at | ||
# puppet:///modules/<module name>/<file name>. You do not need to edit this | ||
# file to enable this. | ||
|
||
# MOUNT POINTS | ||
|
||
# If you need to serve files from a directory that is NOT in a module, | ||
# you must create a static mount point in this file: | ||
# | ||
# [extra_files] | ||
# path /etc/puppet/files | ||
# allow * | ||
# | ||
# In the example above, anything in /etc/puppet/files/<file name> would be | ||
# available to authenticated nodes at puppet:///extra_files/<file name>. | ||
# | ||
# Mount points may also use three placeholders as part of their path: | ||
# | ||
# %H - The node's certname. | ||
# %h - The portion of the node's certname before the first dot. (Usually the | ||
# node's short hostname.) | ||
# %d - The portion of the node's certname after the first dot. (Usually the | ||
# node's domain name.) | ||
|
||
# PERMISSIONS | ||
|
||
# Every static mount point should have an `allow *` line; setting more | ||
# granular permissions in this file is deprecated. Instead, you can | ||
# control file access in auth.conf by controlling the | ||
# /file_metadata/<mount point> and /file_content/<mount point> paths: | ||
# | ||
# path ~ ^/file_(metadata|content)/extra_files/ | ||
# auth yes | ||
# allow /^(.+)\.example\.com$/ | ||
# allow_ip 192.168.100.0/24 | ||
# | ||
# If added to auth.conf BEFORE the "path /file" rule, the rule above | ||
# will add stricter restrictions to the extra_files mount point. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,41 @@ | ||
# This file consists of arbitrarily named sections/modules | ||
# defining where files are served from and to whom | ||
|
||
# Define a section 'files' | ||
# Adapt the allow/deny settings to your needs. Order | ||
# for allow/deny does not matter, allow always takes precedence | ||
# over deny | ||
# [files] | ||
# path /var/lib/puppet/files | ||
# allow *.example.com | ||
# deny *.evil.example.com | ||
# allow 192.168.0.0/24 | ||
# fileserver.conf | ||
|
||
# Puppet automatically serves PLUGINS and FILES FROM MODULES: anything in | ||
# <module name>/files/<file name> is available to authenticated nodes at | ||
# puppet:///modules/<module name>/<file name>. You do not need to edit this | ||
# file to enable this. | ||
|
||
# MOUNT POINTS | ||
|
||
# If you need to serve files from a directory that is NOT in a module, | ||
# you must create a static mount point in this file: | ||
# | ||
# [extra_files] | ||
# path /etc/puppet/files | ||
# allow * | ||
# | ||
# In the example above, anything in /etc/puppet/files/<file name> would be | ||
# available to authenticated nodes at puppet:///extra_files/<file name>. | ||
# | ||
# Mount points may also use three placeholders as part of their path: | ||
# | ||
# %H - The node's certname. | ||
# %h - The portion of the node's certname before the first dot. (Usually the | ||
# node's short hostname.) | ||
# %d - The portion of the node's certname after the first dot. (Usually the | ||
# node's domain name.) | ||
|
||
# PERMISSIONS | ||
|
||
# Every static mount point should have an `allow *` line; setting more | ||
# granular permissions in this file is deprecated. Instead, you can | ||
# control file access in auth.conf by controlling the | ||
# /file_metadata/<mount point> and /file_content/<mount point> paths: | ||
# | ||
# path ~ ^/file_(metadata|content)/extra_files/ | ||
# auth yes | ||
# allow /^(.+)\.example\.com$/ | ||
# allow_ip 192.168.100.0/24 | ||
# | ||
# If added to auth.conf BEFORE the "path /file" rule, the rule above | ||
# will add stricter restrictions to the extra_files mount point. |