The ChangeLog and the PR are not clear about this. In fact, the documentation is vague and doesn't really mention allow_ip at all. This should be updated and made more clear?
I will give this a try later on, on a test system, and see if that solves the problem. Thanks. On Tuesday, October 2, 2012 1:30:34 AM UTC-4, Matthaus Litteken wrote: > > Oh, sorry, you mention that you already found that changelog entry. I > misread that part. > > On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens > <matt...@puppetlabs.com<javascript:>> > wrote: > > In Puppet 3.x, allow directives are limited to hostnames, if you wish > > to allow an ip address, the allow_ip directive should be used. This > > was in response to CVE-2012-3408 > > (http://puppetlabs.com/security/cve/cve-2012-3408/). > > > > On Mon, Oct 1, 2012 at 5:48 PM, Forrie <for...@gmail.com <javascript:>> > wrote: > >> I've seen mention of this error in several places, with different > causes. > >> So before I posted here, I attempted to resolve this on my own. > >> > >> I corrected the change from puppet:///files to puppet:/// in my > manifests > >> *.pp files. > >> > >> No changes were made to the auth.conf file, and I did note in the > ChangeLog > >> that: > >> > >>> Auth.conf differentiates between names and IPs – There’s a new > allow_ip > >>> keyword in auth.conf if you want to permit IP addresses. (PR991) > >> > >> > >> But I see no mention of that on the docs page at > >> http://docs.puppetlabs.com/guides/rest_auth_conf.html. > >> > >> Our auth.conf is simple, and basically has either "allow $1" or "allow > *" > >> both which appear to still be valid in 3.0. > >> > >> Here's an example, a simple example, an ntp.conf file: > >> > >> class ntp-client { > >> file { "/etc/ntp.conf": > >> owner => root, > >> group => root, > >> mode => 644, > >> source => "puppet:///etc/ntp.conf", > >> require => [ Package["ntp"] ], > >> notify => Service["ntpd"], > >> } > >> package { "ntp": > >> ensure => latest, > >> } > >> service { "ntpd": > >> ensure => running, > >> hasrestart => true, > >> subscribe => File["/etc/ntp.conf"], > >> } > >> } # ntp-client > >> > >> > >> The error I'm seeing in the puppet.log, on the client system: > >> > >> > >>> Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client > >>> version 2.7.17 > >>> Oct 1 20:02:31 test-fms puppet-agent[11062]: > >>> (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: > Error 400 > >>> on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf > Could > >>> not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on > SERVER: > >>> Not authorized to call find on /file_metadata/etc/ntp.conf at > >>> /etc/puppet/manifests/classes/ntp-client.pp:10 > >> > >> > >> > >> The permissions from /etc/puppet/files are correct: > >> > >>> -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf > >> > >> > >> The client puppet.conf file doesn't have any custom references other > than > >> the basics. > >> > >>> [main] > >>> server = ourpuppet.server.com > >>> vardir = /var/lib/puppet > >>> logdir = /var/log/puppet > >>> rundir = /var/run/puppet > >>> ssldir = $vardir/ssl > >>> [agent] > >>> classfile = $vardir/classes.txt > >>> localconfig = $vardir/localconfig > >>> syslogfacility = local4 > >>> report = true > >>> listen = true > >> > >> > >> I ran puppet master in verbose mode and got these diagnostics: > >> > >> Starting Puppet master version 3.0.0 > >> Info: access[^/catalog/([^/]+)$]: allowing 'method' find > >> Info: access[^/catalog/([^/]+)$]: allowing $1 access > >> Info: access[/certificate_revocation_list/ca]: allowing 'method' find > >> Info: access[/certificate_revocation_list/ca]: allowing * access > >> Info: access[/report]: allowing 'method' save > >> Info: access[/report]: allowing * access > >> Info: access[/file]: allowing * access > >> Info: access[/certificate/ca]: adding authentication no > >> Info: access[/certificate/ca]: allowing 'method' find > >> Info: access[/certificate/ca]: allowing * access > >> Info: access[/certificate/]: adding authentication no > >> Info: access[/certificate/]: allowing 'method' find > >> Info: access[/certificate/]: allowing * access > >> Info: access[/certificate_request]: adding authentication no > >> Info: access[/certificate_request]: allowing 'method' find > >> Info: access[/certificate_request]: allowing 'method' save > >> Info: access[/certificate_request]: allowing * access > >> Info: access[/]: adding authentication any > >> Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL > >> Info: Inserting default '/status' (auth true) ACL > >> Warning: Host is missing hostname and/or domain: one-host.ourdomain.com > >> Compiled catalog for one-host.ourdomain.com in environment production > in > >> 1.16 seconds > >> Info: mount[files]: allowing 10.101.0.0/24 access > >> Error: Error parsing fileserver configuration: wrong number of > arguments (3 > >> for 1); using old configuration > >> Error: Not authorized to call find on /file_metadata/etc/ntp.conf > >> Error: Not authorized to call find on /file_metadata/etc/sudoers > >> Error: Not authorized to call find on > >> /file_metadata/files/etc/ssh/ssh_known_hosts > >> Error: Not authorized to call find on > >> /file_metadata/files/etc/ssh/sshd_config > >> Error: Not authorized to call find on > >> /file_metadata/etc/puppet/namespaceauth.conf > >> Error: Not authorized to call find on > >> /file_metadata/etc/puppet/puppet.conf.agent > >> Error: Not authorized to call find on > /file_metadata/etc/puppet/auth.conf > >> Error: Not authorized to call find on > /file_metadata/etc/resolv.conf.test > >> > >> I reviewed the docs at > http://docs.puppetlabs.com/guides/file_serving.html > >> and our config looks fine. > >> > >> Reading through the issue at > http://projects.puppetlabs.com/issues/16667, > >> I'm not clear what the fix actually is. But, our config has been > unaltered. > >> We have unused modules in the /etc/puppet/modules directory, where most > of > >> the little stuff has been in /etc/puppet/manifests, referenced in > site.pp > >> by: > >> > >>> import "classes/*" > >>> import "nodes.pp" > >> > >> > >> And it's worked thus far. > >> > >> In the example above, with ntp-client, it's just a simple little > >> ntp-client.pp file that references a file that should be transfered, > nothing > >> more. So I don't see how or why that wouldn't work as-is. > >> > >> The error above: > >> > >>> Error: Error parsing fileserver configuration: wrong number of > arguments > >>> (3 for 1); using old configuration > >> > >> > >> Doesn't make any sense to me, as our config seems to be in line with > the > >> docs: > >> > >> The fileserver.conf file is pretty simple: > >> > >>> [files] > >>> path /etc/puppet/files > >>> allow 10.101.0.0/24 > >>> allow 10.103.0.0/24 > >> > >> > >> > >> In the log above, clearly the connection is authorized. > >> > >>> Info: mount[files]: allowing 10.101.0.0/24 access > >> > >> > >> I'm not sure of the reference to the error "Warning: Host is missing > >> hostname and/or domain" as it's clearly a FQHN (yes, I edited it here). > >> > >> So I'm pretty stumped here. Our only other option is to just > downgrade > >> back to 2.7.x and wait for these issues to get worked out. > >> > >> Any pointers would be appreciated. > >> > >> > >> Thanks. > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To view this discussion on the web visit > >> https://groups.google.com/d/msg/puppet-users/-/RuqTerxKHxMJ. > >> To post to this group, send email to > >> puppet...@googlegroups.com<javascript:>. > > >> To unsubscribe from this group, send email to > >> puppet-users...@googlegroups.com <javascript:>. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > > > > > > > > -- > > Matthaus Owens > > Release Manager, Puppet Labs > > > > -- > Matthaus Owens > Release Manager, Puppet Labs > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/x9VOlqjVZnMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
