Issue #2531 has been updated by Nigel Kersten.
"no fix" essentially breaks everyone who doesn't have a period in their certnames for 0.25.0 which would be a major regression from our point of view and breaks anyone who is integrating with a PKI that doesn't rely upon domain name style certnames. My vote is most assuredly for a partial fix, and I'm happy to revisit this code post 0.25.0 for a cleanup, although Brice may beat us all to it... ---------------------------------------- Bug #2531: opaque strings don't match for catalog retrieval via REST auth system http://projects.reductivelabs.com/issues/2531 Author: Nigel Kersten Status: Accepted Priority: High Assigned to: Nigel Kersten Category: settings Target version: 0.25.0 Complexity: Trivial Affected version: 0.25.0 Keywords: This is different, but still related to #2348 in a way. <pre> root# puppetd -t --server testserver.mydomain --masterport 8140 --certname foobar.mydomain info: Caching catalog for foobar.mydomain.com info: Applying configuration version '1250128881' notice: Finished catalog run in 0.01 seconds root# puppetd -t --server testserver.mydomain --masterport 8140 --certname c216f41a-f902-4bfb-a222-850dd957bebb err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: c216f41a-f902-4bfb-a222-850dd957bebb(x.x.x.x) access to /catalog/c216f41a-f902-4bfb-a222-850dd957bebb [find] authenticated at line 52 info: Not using expired catalog for c216f41a-f902-4bfb-a222-850dd957bebb from cache; expired at Wed Aug 12 18:54:49 -0700 2009 notice: Using cached catalog err: Could not retrieve catalog; skipping run </pre> If I switch auth.conf from: <pre> # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 </pre> to: <pre> # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow * </pre> then it works happily. I've just found a cluster of bugs together, so reporting this without more detail until I have time to look into it. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
