Oh, sorry, you mention that you already found that changelog entry. I misread that part.
On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens <matth...@puppetlabs.com> wrote: > In Puppet 3.x, allow directives are limited to hostnames, if you wish > to allow an ip address, the allow_ip directive should be used. This > was in response to CVE-2012-3408 > (http://puppetlabs.com/security/cve/cve-2012-3408/). > > On Mon, Oct 1, 2012 at 5:48 PM, Forrie <for...@gmail.com> wrote: >> I've seen mention of this error in several places, with different causes. >> So before I posted here, I attempted to resolve this on my own. >> >> I corrected the change from puppet:///files to puppet:/// in my manifests >> *.pp files. >> >> No changes were made to the auth.conf file, and I did note in the ChangeLog >> that: >> >>> Auth.conf differentiates between names and IPs – There’s a new allow_ip >>> keyword in auth.conf if you want to permit IP addresses. (PR991) >> >> >> But I see no mention of that on the docs page at >> http://docs.puppetlabs.com/guides/rest_auth_conf.html. >> >> Our auth.conf is simple, and basically has either "allow $1" or "allow *" >> both which appear to still be valid in 3.0. >> >> Here's an example, a simple example, an ntp.conf file: >> >> class ntp-client { >> file { "/etc/ntp.conf": >> owner => root, >> group => root, >> mode => 644, >> source => "puppet:///etc/ntp.conf", >> require => [ Package["ntp"] ], >> notify => Service["ntpd"], >> } >> package { "ntp": >> ensure => latest, >> } >> service { "ntpd": >> ensure => running, >> hasrestart => true, >> subscribe => File["/etc/ntp.conf"], >> } >> } # ntp-client >> >> >> The error I'm seeing in the puppet.log, on the client system: >> >> >>> Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client >>> version 2.7.17 >>> Oct 1 20:02:31 test-fms puppet-agent[11062]: >>> (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 400 >>> on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf Could >>> not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on SERVER: >>> Not authorized to call find on /file_metadata/etc/ntp.conf at >>> /etc/puppet/manifests/classes/ntp-client.pp:10 >> >> >> >> The permissions from /etc/puppet/files are correct: >> >>> -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf >> >> >> The client puppet.conf file doesn't have any custom references other than >> the basics. >> >>> [main] >>> server = ourpuppet.server.com >>> vardir = /var/lib/puppet >>> logdir = /var/log/puppet >>> rundir = /var/run/puppet >>> ssldir = $vardir/ssl >>> [agent] >>> classfile = $vardir/classes.txt >>> localconfig = $vardir/localconfig >>> syslogfacility = local4 >>> report = true >>> listen = true >> >> >> I ran puppet master in verbose mode and got these diagnostics: >> >> Starting Puppet master version 3.0.0 >> Info: access[^/catalog/([^/]+)$]: allowing 'method' find >> Info: access[^/catalog/([^/]+)$]: allowing $1 access >> Info: access[/certificate_revocation_list/ca]: allowing 'method' find >> Info: access[/certificate_revocation_list/ca]: allowing * access >> Info: access[/report]: allowing 'method' save >> Info: access[/report]: allowing * access >> Info: access[/file]: allowing * access >> Info: access[/certificate/ca]: adding authentication no >> Info: access[/certificate/ca]: allowing 'method' find >> Info: access[/certificate/ca]: allowing * access >> Info: access[/certificate/]: adding authentication no >> Info: access[/certificate/]: allowing 'method' find >> Info: access[/certificate/]: allowing * access >> Info: access[/certificate_request]: adding authentication no >> Info: access[/certificate_request]: allowing 'method' find >> Info: access[/certificate_request]: allowing 'method' save >> Info: access[/certificate_request]: allowing * access >> Info: access[/]: adding authentication any >> Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL >> Info: Inserting default '/status' (auth true) ACL >> Warning: Host is missing hostname and/or domain: one-host.ourdomain.com >> Compiled catalog for one-host.ourdomain.com in environment production in >> 1.16 seconds >> Info: mount[files]: allowing 10.101.0.0/24 access >> Error: Error parsing fileserver configuration: wrong number of arguments (3 >> for 1); using old configuration >> Error: Not authorized to call find on /file_metadata/etc/ntp.conf >> Error: Not authorized to call find on /file_metadata/etc/sudoers >> Error: Not authorized to call find on >> /file_metadata/files/etc/ssh/ssh_known_hosts >> Error: Not authorized to call find on >> /file_metadata/files/etc/ssh/sshd_config >> Error: Not authorized to call find on >> /file_metadata/etc/puppet/namespaceauth.conf >> Error: Not authorized to call find on >> /file_metadata/etc/puppet/puppet.conf.agent >> Error: Not authorized to call find on /file_metadata/etc/puppet/auth.conf >> Error: Not authorized to call find on /file_metadata/etc/resolv.conf.test >> >> I reviewed the docs at http://docs.puppetlabs.com/guides/file_serving.html >> and our config looks fine. >> >> Reading through the issue at http://projects.puppetlabs.com/issues/16667, >> I'm not clear what the fix actually is. But, our config has been unaltered. >> We have unused modules in the /etc/puppet/modules directory, where most of >> the little stuff has been in /etc/puppet/manifests, referenced in site.pp >> by: >> >>> import "classes/*" >>> import "nodes.pp" >> >> >> And it's worked thus far. >> >> In the example above, with ntp-client, it's just a simple little >> ntp-client.pp file that references a file that should be transfered, nothing >> more. So I don't see how or why that wouldn't work as-is. >> >> The error above: >> >>> Error: Error parsing fileserver configuration: wrong number of arguments >>> (3 for 1); using old configuration >> >> >> Doesn't make any sense to me, as our config seems to be in line with the >> docs: >> >> The fileserver.conf file is pretty simple: >> >>> [files] >>> path /etc/puppet/files >>> allow 10.101.0.0/24 >>> allow 10.103.0.0/24 >> >> >> >> In the log above, clearly the connection is authorized. >> >>> Info: mount[files]: allowing 10.101.0.0/24 access >> >> >> I'm not sure of the reference to the error "Warning: Host is missing >> hostname and/or domain" as it's clearly a FQHN (yes, I edited it here). >> >> So I'm pretty stumped here. Our only other option is to just downgrade >> back to 2.7.x and wait for these issues to get worked out. >> >> Any pointers would be appreciated. >> >> >> Thanks. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/puppet-users/-/RuqTerxKHxMJ. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. > > > > -- > Matthaus Owens > Release Manager, Puppet Labs -- Matthaus Owens Release Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
