Issue #7057 has been updated by Nigel Kersten. Status changed from Needs Decision to Accepted Assignee deleted (Nigel Kersten) Target version set to 2.7.x
The first option sounds reasonable. ---------------------------------------- Bug #7057: Insertion of default ACLs can be blocked by unrelated ACLs in auth.conf https://projects.puppetlabs.com/issues/7057 Author: Nick Fagerlund Status: Accepted Priority: Normal Assignee: Category: Target version: 2.7.x Affected Puppet version: Keywords: Branch: Quick recap: * For REST access, ACLs are tested linearly. Matching stops at the first matching ACL. * When testing whether an ACL matches, the **path, method, environment,** and **auth** are equal peers; if any of them don't match, the ACL isn't relevant to the current request. * The default ACLs get inserted AFTER all of the ACLs in the `rest_authconfig` (auth.conf) file. * If a default ACL is duplicated and overridden somewhere in auth.conf, Puppet will not insert that default ACL. And now for the problem, which is that when deciding whether to skip a default ACL, Puppet _does not test whether the two ACLs would match the same requests._ Instead, it just compares the path. Thus, the following ACL, intended to allow one authenticated host to inspect the pending certificate requests: path /certificate_request auth yes method find, search allow magpie.lan ...will disallow all incoming certificate requests by overriding the default `certificate_request; auth no; method find, save; allow all` ACL, even though the sets of requests they match don't intersect at any point. This is bad, and seems magical enough that it's tricky to debug. Two tentative suggestions are that we can: * Append all of the default ACLs all the time. Overridden ACLs will then work as expected, because lookup proceeds linearly with auth.conf getting the first shot; if you override a default, it'll effectively mask the default because no requests will survive long enough to reach it. (The current don't-insert behavior seems to be based around a mistaken belief that auth.conf works similarly to fileserver.conf.) * Cease to append default ACLs except for the `path /; auth any` denial rule; ship a working auth.conf and expect that things will blow up if you delete it. We'll need some way to restore a default ACL when users do something silly. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
