51 lines
1.4 KiB
Plaintext
51 lines
1.4 KiB
Plaintext
authorization: {
|
|
version: 1
|
|
rules: [
|
|
{
|
|
# Allow unauthenticated access to the status service endpoint
|
|
match-request: {
|
|
path: "/status/v1/services"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs status service - full"
|
|
},
|
|
{
|
|
match-request: {
|
|
path: "/status/v1/simple"
|
|
type: path
|
|
method: get
|
|
}
|
|
allow-unauthenticated: true
|
|
sort-order: 500
|
|
name: "puppetlabs status service - simple"
|
|
},
|
|
{
|
|
# Allow nodes to access the metrics service
|
|
# for puppetdb, the metrics service is the only
|
|
# service using the authentication service
|
|
match-request: {
|
|
path: "/metrics"
|
|
type: path
|
|
method: [get, post]
|
|
}
|
|
allow: "*"
|
|
sort-order: 500
|
|
name: "puppetlabs puppetdb metrics"
|
|
},
|
|
{
|
|
# Deny everything else. This ACL is not strictly
|
|
# necessary, but illustrates the default policy
|
|
match-request: {
|
|
path: "/"
|
|
type: path
|
|
}
|
|
deny: "*"
|
|
sort-order: 999
|
|
name: "puppetlabs deny all"
|
|
}
|
|
]
|
|
}
|