Check out the example auth.conf that comes with the distribution, it's heavily commented and should point the way:
https://github.com/puppetlabs/puppet/blob/master/conf/auth.conf On Tuesday, October 2, 2012 11:09:08 AM UTC-7, Forrie wrote: > > The ChangeLog and the PR are not clear about this. In fact, the > documentation is vague and doesn't really mention allow_ip at all. This > should be updated and made more clear? > > I will give this a try later on, on a test system, and see if that solves > the problem. > > Thanks. > > > > On Tuesday, October 2, 2012 1:30:34 AM UTC-4, Matthaus Litteken wrote: >> >> Oh, sorry, you mention that you already found that changelog entry. I >> misread that part. >> >> On Mon, Oct 1, 2012 at 10:27 PM, Matthaus Owens <matt...@puppetlabs.com> >> wrote: >> > In Puppet 3.x, allow directives are limited to hostnames, if you wish >> > to allow an ip address, the allow_ip directive should be used. This >> > was in response to CVE-2012-3408 >> > (http://puppetlabs.com/security/cve/cve-2012-3408/). >> > >> > On Mon, Oct 1, 2012 at 5:48 PM, Forrie <for...@gmail.com> wrote: >> >> I've seen mention of this error in several places, with different >> causes. >> >> So before I posted here, I attempted to resolve this on my own. >> >> >> >> I corrected the change from puppet:///files to puppet:/// in my >> manifests >> >> *.pp files. >> >> >> >> No changes were made to the auth.conf file, and I did note in the >> ChangeLog >> >> that: >> >> >> >>> Auth.conf differentiates between names and IPs – There’s a new >> allow_ip >> >>> keyword in auth.conf if you want to permit IP addresses. (PR991) >> >> >> >> >> >> But I see no mention of that on the docs page at >> >> http://docs.puppetlabs.com/guides/rest_auth_conf.html. >> >> >> >> Our auth.conf is simple, and basically has either "allow $1" or "allow >> *" >> >> both which appear to still be valid in 3.0. >> >> >> >> Here's an example, a simple example, an ntp.conf file: >> >> >> >> class ntp-client { >> >> file { "/etc/ntp.conf": >> >> owner => root, >> >> group => root, >> >> mode => 644, >> >> source => "puppet:///etc/ntp.conf", >> >> require => [ Package["ntp"] ], >> >> notify => Service["ntpd"], >> >> } >> >> package { "ntp": >> >> ensure => latest, >> >> } >> >> service { "ntpd": >> >> ensure => running, >> >> hasrestart => true, >> >> subscribe => File["/etc/ntp.conf"], >> >> } >> >> } # ntp-client >> >> >> >> >> >> The error I'm seeing in the puppet.log, on the client system: >> >> >> >> >> >>> Oct 1 20:02:28 test-fms puppet-agent[11062]: Starting Puppet client >> >>> version 2.7.17 >> >>> Oct 1 20:02:31 test-fms puppet-agent[11062]: >> >>> (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: >> Error 400 >> >>> on SERVER: Not authorized to call find on /file_metadata/etc/ntp.conf >> Could >> >>> not retrieve file metadata for puppet:///etc/ntp.conf: Error 400 on >> SERVER: >> >>> Not authorized to call find on /file_metadata/etc/ntp.conf at >> >>> /etc/puppet/manifests/classes/ntp-client.pp:10 >> >> >> >> >> >> >> >> The permissions from /etc/puppet/files are correct: >> >> >> >>> -rw-r--r--. 1 puppet puppet 446 Mar 31 2011 etc/ntp.conf >> >> >> >> >> >> The client puppet.conf file doesn't have any custom references other >> than >> >> the basics. >> >> >> >>> [main] >> >>> server = ourpuppet.server.com >> >>> vardir = /var/lib/puppet >> >>> logdir = /var/log/puppet >> >>> rundir = /var/run/puppet >> >>> ssldir = $vardir/ssl >> >>> [agent] >> >>> classfile = $vardir/classes.txt >> >>> localconfig = $vardir/localconfig >> >>> syslogfacility = local4 >> >>> report = true >> >>> listen = true >> >> >> >> >> >> I ran puppet master in verbose mode and got these diagnostics: >> >> >> >> Starting Puppet master version 3.0.0 >> >> Info: access[^/catalog/([^/]+)$]: allowing 'method' find >> >> Info: access[^/catalog/([^/]+)$]: allowing $1 access >> >> Info: access[/certificate_revocation_list/ca]: allowing 'method' find >> >> Info: access[/certificate_revocation_list/ca]: allowing * access >> >> Info: access[/report]: allowing 'method' save >> >> Info: access[/report]: allowing * access >> >> Info: access[/file]: allowing * access >> >> Info: access[/certificate/ca]: adding authentication no >> >> Info: access[/certificate/ca]: allowing 'method' find >> >> Info: access[/certificate/ca]: allowing * access >> >> Info: access[/certificate/]: adding authentication no >> >> Info: access[/certificate/]: allowing 'method' find >> >> Info: access[/certificate/]: allowing * access >> >> Info: access[/certificate_request]: adding authentication no >> >> Info: access[/certificate_request]: allowing 'method' find >> >> Info: access[/certificate_request]: allowing 'method' save >> >> Info: access[/certificate_request]: allowing * access >> >> Info: access[/]: adding authentication any >> >> Info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL >> >> Info: Inserting default '/status' (auth true) ACL >> >> Warning: Host is missing hostname and/or domain: >> one-host.ourdomain.com >> >> Compiled catalog for one-host.ourdomain.com in environment production >> in >> >> 1.16 seconds >> >> Info: mount[files]: allowing 10.101.0.0/24 access >> >> Error: Error parsing fileserver configuration: wrong number of >> arguments (3 >> >> for 1); using old configuration >> >> Error: Not authorized to call find on /file_metadata/etc/ntp.conf >> >> Error: Not authorized to call find on /file_metadata/etc/sudoers >> >> Error: Not authorized to call find on >> >> /file_metadata/files/etc/ssh/ssh_known_hosts >> >> Error: Not authorized to call find on >> >> /file_metadata/files/etc/ssh/sshd_config >> >> Error: Not authorized to call find on >> >> /file_metadata/etc/puppet/namespaceauth.conf >> >> Error: Not authorized to call find on >> >> /file_metadata/etc/puppet/puppet.conf.agent >> >> Error: Not authorized to call find on >> /file_metadata/etc/puppet/auth.conf >> >> Error: Not authorized to call find on >> /file_metadata/etc/resolv.conf.test >> >> >> >> I reviewed the docs at >> http://docs.puppetlabs.com/guides/file_serving.html >> >> and our config looks fine. >> >> >> >> Reading through the issue at >> http://projects.puppetlabs.com/issues/16667, >> >> I'm not clear what the fix actually is. But, our config has been >> unaltered. >> >> We have unused modules in the /etc/puppet/modules directory, where >> most of >> >> the little stuff has been in /etc/puppet/manifests, referenced in >> site.pp >> >> by: >> >> >> >>> import "classes/*" >> >>> import "nodes.pp" >> >> >> >> >> >> And it's worked thus far. >> >> >> >> In the example above, with ntp-client, it's just a simple little >> >> ntp-client.pp file that references a file that should be transfered, >> nothing >> >> more. So I don't see how or why that wouldn't work as-is. >> >> >> >> The error above: >> >> >> >>> Error: Error parsing fileserver configuration: wrong number of >> arguments >> >>> (3 for 1); using old configuration >> >> >> >> >> >> Doesn't make any sense to me, as our config seems to be in line with >> the >> >> docs: >> >> >> >> The fileserver.conf file is pretty simple: >> >> >> >>> [files] >> >>> path /etc/puppet/files >> >>> allow 10.101.0.0/24 >> >>> allow 10.103.0.0/24 >> >> >> >> >> >> >> >> In the log above, clearly the connection is authorized. >> >> >> >>> Info: mount[files]: allowing 10.101.0.0/24 access >> >> >> >> >> >> I'm not sure of the reference to the error "Warning: Host is missing >> >> hostname and/or domain" as it's clearly a FQHN (yes, I edited it >> here). >> >> >> >> So I'm pretty stumped here. Our only other option is to just >> downgrade >> >> back to 2.7.x and wait for these issues to get worked out. >> >> >> >> Any pointers would be appreciated. >> >> >> >> >> >> Thanks. >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "Puppet Users" group. >> >> To view this discussion on the web visit >> >> https://groups.google.com/d/msg/puppet-users/-/RuqTerxKHxMJ. >> >> To post to this group, send email to puppet...@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> puppet-users...@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/puppet-users?hl=en. >> > >> > >> > >> > -- >> > Matthaus Owens >> > Release Manager, Puppet Labs >> >> >> >> -- >> Matthaus Owens >> Release Manager, Puppet Labs >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/XK0zovS21tsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
