Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide an example authorization rule for Puppet Enterprise? #18

Open
ciranor opened this issue Jul 11, 2023 · 2 comments
Open

Provide an example authorization rule for Puppet Enterprise? #18

ciranor opened this issue Jul 11, 2023 · 2 comments

Comments

@ciranor
Copy link

ciranor commented Jul 11, 2023

Affected Puppet, Ruby, OS and module versions/distributions

I'm running Puppet Enterprise 2021.7.1 on CentOS. I'm trying to implement this module to handle certificate renewal. I've set it up in our code repo with this on the agents:

  puppet_certificate {
    $trusted['certname']:
      ensure               => 'valid',
      clean                => true,
      onrefresh            => 'regenerate',
      renewal_grace_period => 30,
      waitforcert          => 60,
  }

And this puppet code to apply on to the puppet master servers, based on example in the README:

  pe_puppet_authorization::rule {
    'delete-self-certificate':
      match_request_path         => '^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$',
      match_request_type         => 'regex',
      match_request_method       => 'delete',
      match_request_query_params => {'environment' => [ 'master', 'cert_renewal_test' ]},
      allow                      => '$2',
      sort_order                 => 500,
      path                       => '/etc/puppetlabs/puppetserver/conf.d/auth.conf',
      notify                     => Service['pe-puppetserver'],
  }

I've played around with the sort_order, but there's an existing authorization rule in Puppet Enterprise ('puppetlabs certificate status') which is on the same match_request_path, and, depending on whether I supply a sort_order value that's lower or higher than the existing rule, the client either gets a HTTP/403 "denied by rule" message, or the server appears to break itself because it's not permitted to access the certificate_status URL.

Is there a code recipe example which can be supplied which should make this module work on Puppet Enterprise? (Or is there a problem with applying these authorization rules on PE?)

@h0tw1r3
Copy link
Contributor

h0tw1r3 commented Aug 10, 2023

@ciranor according to the README, you'll need to patch /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/certificate_authority.pp. I use a patch module to help automate that.

@h0tw1r3
Copy link
Contributor

h0tw1r3 commented Sep 18, 2023

@ciranor

Here's a solution that does not require patching the PE manifest code:

Pe_puppet_authorization::Rule <| title == 'puppetlabs certificate status' |> {
  match_request_path => '^/puppet-ca/v1/certificate_status/([^/]+)?$',
  match_request_type => 'regex',
  allow              +> ['$1'],
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants