All,
I'm just getting started with puppet, so excuse any lack of vocabulary
in this email.
I've got a server (CentOS 5.4) running with a little more than the
example puppet configuration. Importantly, I'm using the supplied
auth.conf, and the relevant portion looks like this:
path ~ ^/catalog/([^/]+)$
method find
allow $1
I just created a new VM as a puppet client (also CentOS 5.4), which
calls itself ib3stage.domainI. (with trailing dot). When it tries to
sync for the first time, I get this on the client:
-bash-3.2# puppetd --waitforcert 60 --test --server puppet.domainB.
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: ib3stage.domainI.(10.0.12.15) access to /
catalog/ib3stage.domainI. [find] authenticated at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
The server shows this:
info: access[^/catalog/([^/]+)$]: allowing 'method' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing 'method' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[/report]: allowing 'method' save
info: access[/report]: allowing * access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication no
info: access[/certificate/ca]: allowing 'method' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication no
info: access[/certificate/]: allowing 'method' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication no
info: access[/certificate_request]: allowing 'method' find
info: access[/certificate_request]: allowing 'method' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: access[^/catalog/([^/]+)$]: defaulting to no access for
ib3stage.domainB.
warning: Denying access: Forbidden request: ib3stage.domainI.
(10.0.12.15) access to /catalog/ib3stage.domainI. [find]
authenticated at line 52
err: Forbidden request: ib3stage.domainI.(10.0.12.15) access to /
catalog/ib3stage.domainI. [find] authenticated at line 52
If I convince the client that it is "ib3stage.domainI" (no dot),
everything works as expected. Likewise, if I change the third line of
my auth.conf stanza from above to "allow*", it works, though I don't
want to continue to run like that.
Can any of you reproduce this? Discussion in IRC was that this seemed
like a bug, but I'd like a sanity check before I file one. It was
suggested that a fix to facter could help with this (to strip trailing
dot?), but I would guess that this is a server-side thing.
Thank you.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
