Zane Williamson
2013-Mar-12 15:50 UTC
[Puppet Users] PuppetDB http web interface user access
Hi All, Has anyone figured out a nice way to restrict user access to puppetdb''s http web interface? Such as a .htaccess method or something similar? I would prefer something along those lines instead of setting up firewall rules. -Zane -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Ken Barber
2013-Mar-12 17:40 UTC
Re: [Puppet Users] PuppetDB http web interface user access
I think most people are implementing either an Apache or NGinx proxy in front of PuppetDB for this purpose. For Apache, should be pretty easy to do with proxy based RewriteRule''s in Apache, and within the same virtualhost definition you should be able to enforce authentication. For example: <VirtualHost *:80> RewriteEngine on RewriteRule /(.*) http://localhost:8080/$1 [P,L] <Location /> AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile /etc/httpd/basic.pwd Require user ken </Location> </VirtualHost> This is at least a start anyway. More custom redirections and handling can be rolled obviously. ken. On Tue, Mar 12, 2013 at 8:50 AM, Zane Williamson <zane.williamson@gmail.com> wrote:> Hi All, > > Has anyone figured out a nice way to restrict user access to puppetdb''s http > web interface? Such as a .htaccess method or something similar? I would > prefer something along > those lines instead of setting up firewall rules. > > -Zane > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Zane Williamson
2013-Mar-13 04:11 UTC
Re: [Puppet Users] PuppetDB http web interface user access
Good call. The advice was wise! I had some issues using RewriteEngine
(probably how I have Apache setup), but instead with with ProxyPass and it
is working well.
<VirtualHost *:80>
ProxyPass / http://localhost:8080/
<Location />
AuthType basic
AuthName "Restrited Files"
AuthBasicProvider file
AuthUserFile /etc/apache2/passw
Require valid-user
</Location>
</VirtualHost>
On Tuesday, March 12, 2013 10:40:01 AM UTC-7, Ken Barber
wrote:>
> I think most people are implementing either an Apache or NGinx proxy
> in front of PuppetDB for this purpose.
>
> For Apache, should be pretty easy to do with proxy based
RewriteRule''s
> in Apache, and within the same virtualhost definition you should be
> able to enforce authentication. For example:
>
> <VirtualHost *:80>
> RewriteEngine on
> RewriteRule /(.*) http://localhost:8080/$1 [P,L]
>
> <Location />
> AuthType Basic
> AuthName "Restricted Files"
> AuthBasicProvider file
> AuthUserFile /etc/httpd/basic.pwd
> Require user ken
> </Location>
> </VirtualHost>
>
> This is at least a start anyway. More custom redirections and handling
> can be rolled obviously.
>
> ken.
>
> On Tue, Mar 12, 2013 at 8:50 AM, Zane Williamson
> <zane.wi...@gmail.com <javascript:>> wrote:
> > Hi All,
> >
> > Has anyone figured out a nice way to restrict user access to
puppetdb''s
> http
> > web interface? Such as a .htaccess method or something similar? I
> would
> > prefer something along
> > those lines instead of setting up firewall rules.
> >
> > -Zane
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to puppet-users...@googlegroups.com <javascript:>.
> > To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>
> > Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Ken Barber
2013-Mar-13 04:40 UTC
Re: [Puppet Users] PuppetDB http web interface user access
Great! I''m more of a fan of RewriteRule because when you''re mixing it with rewrites the ordering is more obvious, but in this case ProxyPass works well enough. Looks like you''re using Debian, do you have to use a2enmod perhaps to get RewriteRule to work? Either way thanks for sharing the config that works for you. ken. On Tue, Mar 12, 2013 at 9:11 PM, Zane Williamson <zane.williamson@gmail.com> wrote:> Good call. The advice was wise! I had some issues using RewriteEngine > (probably how I have Apache setup), but instead with with ProxyPass and it > is working well. > > <VirtualHost *:80> > ProxyPass / http://localhost:8080/ > <Location /> > AuthType basic > AuthName "Restrited Files" > AuthBasicProvider file > AuthUserFile /etc/apache2/passw > Require valid-user > </Location> > </VirtualHost> > > On Tuesday, March 12, 2013 10:40:01 AM UTC-7, Ken Barber wrote: >> >> I think most people are implementing either an Apache or NGinx proxy >> in front of PuppetDB for this purpose. >> >> For Apache, should be pretty easy to do with proxy based RewriteRule''s >> in Apache, and within the same virtualhost definition you should be >> able to enforce authentication. For example: >> >> <VirtualHost *:80> >> RewriteEngine on >> RewriteRule /(.*) http://localhost:8080/$1 [P,L] >> >> <Location /> >> AuthType Basic >> AuthName "Restricted Files" >> AuthBasicProvider file >> AuthUserFile /etc/httpd/basic.pwd >> Require user ken >> </Location> >> </VirtualHost> >> >> This is at least a start anyway. More custom redirections and handling >> can be rolled obviously. >> >> ken. >> >> On Tue, Mar 12, 2013 at 8:50 AM, Zane Williamson >> <zane.wi...@gmail.com> wrote: >> > Hi All, >> > >> > Has anyone figured out a nice way to restrict user access to puppetdb''s >> > http >> > web interface? Such as a .htaccess method or something similar? I >> > would >> > prefer something along >> > those lines instead of setting up firewall rules. >> > >> > -Zane >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to puppet-users...@googlegroups.com. >> > To post to this group, send email to puppet...@googlegroups.com. >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Zane Williamson
2013-Mar-13 05:34 UTC
Re: [Puppet Users] PuppetDB http web interface user access
Ah yes, that was probably the issue, forgot to sue a2enmod for rewriterule! Appreciate your input on this. -Zane On Tue, Mar 12, 2013 at 9:40 PM, Ken Barber <ken@puppetlabs.com> wrote:> Great! I''m more of a fan of RewriteRule because when you''re mixing it > with rewrites the ordering is more obvious, but in this case ProxyPass > works well enough. Looks like you''re using Debian, do you have to use > a2enmod perhaps to get RewriteRule to work? > > Either way thanks for sharing the config that works for you. > > ken. > > On Tue, Mar 12, 2013 at 9:11 PM, Zane Williamson > <zane.williamson@gmail.com> wrote: > > Good call. The advice was wise! I had some issues using RewriteEngine > > (probably how I have Apache setup), but instead with with ProxyPass and > it > > is working well. > > > > <VirtualHost *:80> > > ProxyPass / http://localhost:8080/ > > <Location /> > > AuthType basic > > AuthName "Restrited Files" > > AuthBasicProvider file > > AuthUserFile /etc/apache2/passw > > Require valid-user > > </Location> > > </VirtualHost> > > > > On Tuesday, March 12, 2013 10:40:01 AM UTC-7, Ken Barber wrote: > >> > >> I think most people are implementing either an Apache or NGinx proxy > >> in front of PuppetDB for this purpose. > >> > >> For Apache, should be pretty easy to do with proxy based RewriteRule''s > >> in Apache, and within the same virtualhost definition you should be > >> able to enforce authentication. For example: > >> > >> <VirtualHost *:80> > >> RewriteEngine on > >> RewriteRule /(.*) http://localhost:8080/$1 [P,L] > >> > >> <Location /> > >> AuthType Basic > >> AuthName "Restricted Files" > >> AuthBasicProvider file > >> AuthUserFile /etc/httpd/basic.pwd > >> Require user ken > >> </Location> > >> </VirtualHost> > >> > >> This is at least a start anyway. More custom redirections and handling > >> can be rolled obviously. > >> > >> ken. > >> > >> On Tue, Mar 12, 2013 at 8:50 AM, Zane Williamson > >> <zane.wi...@gmail.com> wrote: > >> > Hi All, > >> > > >> > Has anyone figured out a nice way to restrict user access to > puppetdb''s > >> > http > >> > web interface? Such as a .htaccess method or something similar? I > >> > would > >> > prefer something along > >> > those lines instead of setting up firewall rules. > >> > > >> > -Zane > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Puppet Users" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to puppet-users...@googlegroups.com. > >> > To post to this group, send email to puppet...@googlegroups.com. > >> > Visit this group at http://groups.google.com/group/puppet-users?hl=en > . > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to puppet-users+unsubscribe@googlegroups.com. > > To post to this group, send email to puppet-users@googlegroups.com. > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/ibkfqZHEAdY/unsubscribe?hl=en > . > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- Zane -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.