Config Files: auth.conf
Included in Puppet Enterprise 3.3. A newer version is available; see the version menu above for details.
Access to Puppet’s HTTPS API is configured in
About Puppet’s HTTPS API
When running in the standard agent/master arrangement, puppet agent nodes receive all of their configurations by contacting the puppet master over HTTPS. In general, a single configuration run includes:
- Fetching a node object (to read the node’s environment)
- Fetching plugins
- Requesting a catalog (and submitting the node’s facts as POST data in the request)
- Fetching file metadata and contents while applying the catalog
- Submitting a report after applying the catalog
All of these are provided as HTTPS services (sometimes called “endpoints”) by the puppet master server. Additionally, the puppet master provides other services, some of which are used less frequently by agent nodes (such as the CA services) and some of which shouldn’t be used by agent nodes at all (such as the
certificate_status service, which can sign and revoke certificates).
Since not all agent nodes should have access to all services, and since certain services should have restricted access (for example, nodes should not be able to request some other node’s configuration catalog), the puppet master keeps a list of access rules for all of its HTTPS services. These rules can be edited in
auth.conf file is located at
$confdir/auth.conf by default. Its location is configurable with the
The location of the
confdir varies; it depends on the OS, Puppet distribution, and user account. See the confdir documentation for details.
# Example auth.conf: path / auth true environment override allow magpie.example.com path /certificate_status auth true environment production allow magpie.example.com path /facts method save auth true allow magpie.example.com path /facts auth true method find, search allow magpie.example.com, dashboard.example.com, finch.example.com