add new ACL for auth.conf introduced in Puppet 3

a4815584 · Adam Lewenberg · c3f2f417 · a4815584 · a4815584 · a4815584
Commit a4815584 authored 10 years ago by Adam Lewenberg
--- a/NEWS
+++ b/NEWS
@@ -4,7 +4,8 @@ release/003.037 (unreleased)
    definition.  (darrenp1)

    [puppetclient] Add puppetservice* servers to list of servers that can
-    download Puppet DB credentials.
+    download Puppet DB credentials. Add a new ACL to auth.conf that was
+    introduced in Puppet 3.

 release/003.036 (2014-09-10)


--- a/manifests/puppetclient.pp
+++ b/manifests/puppetclient.pp
@@ -113,7 +113,7 @@ class base::puppetclient {
  # vulnerability that could unauthenticated Puppet nodes to manipulate
  # its configuration.
  file { '/etc/puppet/auth.conf':
-    source => 'puppet:///modules/base/puppetclient/etc/puppet/auth.conf',
+    content => template('base/puppetclient/auth.conf.erb'),
  }

  # filter-syslog rules for the Puppet client.

--- a/files/puppetclient/etc/puppet/auth.conf
+++ b/files/puppetclient/etc/puppet/auth.conf
@@ -48,6 +48,13 @@
 ### Authenticated ACL - those applies only when the client
 ### has a valid certificate and is thus authenticated

+<% if (puppetversion.gsub(/\./, '').to_i >= 300) -%>
+# allow nodes to retrieve their own node definition (new in Puppet 3)
+path ~ ^/node/([^/]+)$
+method find
+allow $1
+<% end -%>
+
 # allow nodes to retrieve their own catalog (ie their configuration)
 path ~ ^/catalog/([^/]+)$
 method find