PuppetDB http web interface user access
443 views
Skip to first unread message
Zane Williamson
Mar 12, 2013, 11:50:06 AM3/12/13
to puppet...@googlegroups.com
Hi All,
Has anyone figured out a nice way to restrict user access to puppetdb's http web interface? Such as a .htaccess method or something similar? I would prefer something along
those lines instead of setting up firewall rules.
-Zane
Ken Barber
Mar 12, 2013, 1:40:01 PM3/12/13
to Puppet Users
I think most people are implementing either an Apache or NGinx proxy
in front of PuppetDB for this purpose.
For Apache, should be pretty easy to do with proxy based RewriteRule's
in Apache, and within the same virtualhost definition you should be
able to enforce authentication. For example:
<VirtualHost *:80>
RewriteEngine on
RewriteRule /(.*) http://localhost:8080/$1 [P,L]
<Location />
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /etc/httpd/basic.pwd
Require user ken
</Location>
</VirtualHost>
This is at least a start anyway. More custom redirections and handling
can be rolled obviously.
ken.
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To post to this group, send email to puppet...@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
in front of PuppetDB for this purpose.
For Apache, should be pretty easy to do with proxy based RewriteRule's
in Apache, and within the same virtualhost definition you should be
able to enforce authentication. For example:
<VirtualHost *:80>
RewriteEngine on
RewriteRule /(.*) http://localhost:8080/$1 [P,L]
<Location />
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /etc/httpd/basic.pwd
Require user ken
</Location>
</VirtualHost>
This is at least a start anyway. More custom redirections and handling
can be rolled obviously.
ken.
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To post to this group, send email to puppet...@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Zane Williamson
Mar 13, 2013, 12:11:45 AM3/13/13
to puppet...@googlegroups.com
Good call. The advice was wise! I had some issues using RewriteEngine (probably how I have Apache setup), but instead with with ProxyPass and it is working well.
<VirtualHost *:80>
ProxyPass / http://localhost:8080/
<Location />
AuthType basic
AuthName "Restrited Files"
AuthBasicProvider file
AuthUserFile /etc/apache2/passw
Require valid-user
</Location>
</VirtualHost>
Ken Barber
Mar 13, 2013, 12:40:46 AM3/13/13
to Puppet Users
Great! I'm more of a fan of RewriteRule because when you're mixing it
with rewrites the ordering is more obvious, but in this case ProxyPass
works well enough. Looks like you're using Debian, do you have to use
a2enmod perhaps to get RewriteRule to work?
Either way thanks for sharing the config that works for you.
ken.
with rewrites the ordering is more obvious, but in this case ProxyPass
works well enough. Looks like you're using Debian, do you have to use
a2enmod perhaps to get RewriteRule to work?
Either way thanks for sharing the config that works for you.
ken.
Zane Williamson
Mar 13, 2013, 1:34:13 AM3/13/13
to puppet...@googlegroups.com
Ah yes, that was probably the issue, forgot to sue a2enmod for rewriterule! Appreciate your input on this.
-Zane
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/ibkfqZHEAdY/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To post to this group, send email to puppet...@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Zane
Reply all
Reply to author
Forward
0 new messages