On Tue, Nov 22, 2011 at 1:29 PM, Nick Lewis <n...@puppetlabs.com> wrote:
> On Tuesday, November 22, 2011 at 11:05 AM, Carl Caum wrote: > > > > On Mon, Nov 21, 2011 at 11:21 PM, Nick Lewis <n...@puppetlabs.com> wrote: > > On Mon, Nov 21, 2011 at 9:01 PM, Carl Caum <c...@puppetlabs.com> wrote: > > I have a question about using the inventory service's REST API. I have > this code: http://pastie.org/2901445 > > It uses the default OpenSSL::SSL::VERIFY_PEER but the peer certificate > auth fails. I believe it's because I'm not using > > the puppet agent's certificate to connect to the master. How do I do > that? > > > > > > This is relevant auth.conf section: > > > > path /facts > > auth yes > > method find, search > > allow puppetagent.localdomain > > > > > > I get this from the response: > > Forbidden request: localhost.localdomain(127.0.0.1) access to > /facts/search [search] at line 98 > > > > I get this error regardless if I don't auth and allow all in the > auth.conf > > > > It definitely looks like it's not reading the agent's cert, or it > would say authenticated. This is probably because you're using the > default run mode of user, when you mean to be using agent, so you're > getting the default certname, for which you have no cert. If you > implement this as a face, setting run mode is easy. Otherwise, you can > try setting $puppet_application_mode = Puppet::Util::RunMode[:agent] > and see if that works. Alternately, you could set certname and server > in the [user] section of your puppet.conf. > > > I went ahead made the code in to a face and yes, it's sending the correct > certificate now. > However, I'm getting a 'Forbidden Request' error: > Denying access: Forbidden request: puppetagent.localdomain(127.0.0.1) > access to /facts/search [search] authenticated at line 98 > > Yet, I'm allowing search to everything in /facts. Same error if I do 'path > /facts/search' > > path /facts > auth yes > method find, search > allow puppetagent.localdomain > > The path for this should be either /facts_search/search or /factss/search. > The pluralization (yep, _search is pluralization) means we're searching > rather than finding. I would still sort of expect this to work, though, > because you did say path /facts which is a prefix of the actual path. > However, I'm not actually sure how smart the auth code is about > interpreting what the path means, versus just doing pattern matching. > > Can you post the code you're using now? > I've tried the above paths. Same error. Here's the code: http://pastie.org/2905092 The clean_cert method is the one I'm working on. The http_request method is a generic handler built in to Cloud Provisioner. > > > - Carl Caum > > (615) 653-0887 > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > To post to this group, send email to puppet-dev@googlegroups.com. > > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to puppet-dev@googlegroups.com. > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to puppet-dev@googlegroups.com. > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to puppet-dev@googlegroups.com. > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.