Hi,
I am creating a folder with subfolders and files from within my basenode
class to be existent on all servers with:
file {"/sig/certstore/":
source => "puppet:///files/sig/certstore/",
ensure => directory,
recurse => true,
owner => tomcat6,
group => tomcat6,
require => [Package['tomcat6'], File['/sig'],]
}
}
My fileserver.conf looks like:
[files]
path /etc/puppet/env/production/files
allow *
[plugins]
allow *
My auth.conf looks like the work around from Nick:
### Authenticated ACL - those applies only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
path /file_metadata/files
auth yes
allow_ip 192.168.67.0/24
path /file_content/files
auth yes
allow_ip 192.168.67.0/24
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.
# allow access to the master CA
path /certificate/ca
auth any
method find
allow *
path /certificate/
auth any
method find
allow *
path /certificate_request
auth any
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any
Unfortunately I am still getting the error:
err: Could not run Puppet configuration client: Error 400 on SERVER: Not
authorized to call find on /file_metadata/files/sig/certstore Could not
retrieve file metadata for puppet:///files/sig/certstore: Error 400 on
SERVER: Not authorized to call find on /file_metadata/files/sig/certstore
at /etc/puppet/env/production/manifests/nodes.pp:64
I have been trying to play around but can't get it to work. It all worked
like a charm on Puppet 2.7 but since my migration to 3.0.1 it's not working
anymore.
On Tuesday, October 30, 2012 11:02:16 PM UTC+1, Forrie wrote:
>
>
>
> On Wednesday, October 24, 2012 7:44:26 PM UTC-4, Nick Fagerlund wrote:
>>
>> HMMMMMMM, this actually sounds like you've got a slightly larger problem,
>> since can't get its own node object or its plugins. Any chance we could get
>> a look at your whole auth.conf?
>>
>> On Wednesday, October 24, 2012 3:41:32 PM UTC-7, Forrie wrote:
>>>
>>> No, I didn't leave *example.com* in my config - I put our own domain in
>>> there... just FYI ;-)
>>>
>>>
>
> auth.conf is below.
>
> First, we have some simple classes that we use to manage files and
> packages that do not need to be in a module. For example,
> /etc/puppet/files/etc/ntp.conf is a file I distribute to all our internal
> systems and I use this very simple recipe to manage them, which works fine
> under 2.7:
>
> [ ntp-client.pp ]
>
> class ntp-client {
>
> file { "/etc/ntp.conf":
> owner => root,
> group => root,
> mode => 644,
> source => "puppet:///etc/ntp.conf",
> require => [ Package["ntp"] ],
> notify => Service["ntpd"],
> }
>
> package { "ntp":
> ensure => latest,
> }
>
> service { "ntpd":
> ensure => running,
> hasrestart => true,
> subscribe => File["/etc/ntp.conf"],
> }
>
> } # ntp-client
>
>
>
> From what I read in the docs, this /should/ work. But it doesn't. I
> shouldn't have to create a module path in order for this recipe to work (as
> I've seen suggested, or I've misunderstood).
>
> Here is the auth.conf file:
>
>
> [ auth.conf ]
>
> # This is an example auth.conf file, it mimics the puppetmasterd defaults
> #
> # The ACL are checked in order of appearance in this file.
> #
> # Supported syntax:
> # This file supports two different syntax depending on how
> # you want to express the ACL.
> #
> # Path syntax (the one used below):
> # ---------------------------------
> # path /path/to/resource
> # [environment envlist]
> # [method methodlist]
> # [auth[enthicated] {yes|no|on|off|any}]
> # allow [host|ip|*]
> # deny [host|ip]
> #
> # The path is matched as a prefix. That is /file match at
> # the same time /file_metadat and /file_content.
> #
> # Regex syntax:
> # -------------
> # This one is differenciated from the path one by a '~'
> #
> # path ~ regex
> # [environment envlist]
> # [method methodlist]
> # [auth[enthicated] {yes|no|on|off|any}]
> # allow [host|ip|*]
> # deny [host|ip]
> #
> # The regex syntax is the same as ruby ones.
> #
> # Ex:
> # path ~ .pp$
> # will match every resource ending in .pp (manifests files for instance)
> #
> # path ~ ^/path/to/resource
> # is essentially equivalent to path /path/to/resource
> #
> # environment:: restrict an ACL to a specific set of environments
> # method:: restrict an ACL to a specific set of methods
> # auth:: restrict an ACL to an authenticated or unauthenticated request
> # the default when unspecified is to restrict the ACL to authenticated
> requests
> # (ie exactly as if auth yes was present).
> #
>
> ### Authenticated ACL - those applies only when the client
> ### has a valid certificate and is thus authenticated
>
> # allow nodes to retrieve their own catalog (ie their configuration)
> path ~ ^/catalog/([^/]+)$
> method find
> allow $1
>
> # allow all nodes to access the certificates services
> path /certificate_revocation_list/ca
> method find
> allow *
>
> # allow all nodes to store their reports
> path /report
> method save
> allow *
>
> # inconditionnally allow access to all files services
> # which means in practice that fileserver.conf will
> # still be used
> # path /file
> # allow *
> # allow_ip 10.101.0.0/24
> # allow_ip 10.103.0.0/24
>
> # Note that nothing here works, regardless of the CIDR
> path ~ ^/file_(metadata|content)/files/
> auth yes
> allow /^(.+\.)?example.com$/
> allow_ip 10.0.0.0/8
>
> ### Unauthenticated ACL, for clients for which the current master doesn't
> ### have a valid certificate
>
> # allow access to the master CA
> path /certificate/ca
> auth no
> method find
> allow *
>
> path /certificate/
> auth no
> method find
> allow *
>
> path /certificate_request
> auth no
> method find, save
> allow *
>
> # this one is not stricly necessary, but it has the merit
> # to show the default policy which is deny everything else
> path /
> # allow *
> auth any
>
>
> Here are some of the errors I'm seeing today. I do not have any other
> modules or classes defined here, just the ntp-client.pp on the staging
> system:
>
>
>
> Oct 30 17:50:38 stage1 puppet-agent[3421]: catalog supports formats:
> b64_zlib_yaml dot pson raw yaml; using pson
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Caching catalog for
> stage1.mydomain.com
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Creating default schedules
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Loaded state in 0.00 seconds
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Applying configuration version
> '1351630198'
> Oct 30 17:50:38 stage1 puppet-agent[3421]:
> (/Stage[main]/Ntp-client/Service[ntpd]/subscribe) subscribes to
> File[/etc/ntp.conf]
> Oct 30 17:50:38 stage1 puppet-agent[3421]:
> (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/require) requires Package[ntp]
> Oct 30 17:50:38 stage1 puppet-agent[3421]:
> (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/notify) subscribes to
> Service[ntpd]
> Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[daily]) Skipping
> device resources because running on a host
> Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[monthly]) Skipping
> device resources because running on a host
> Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[hourly]) Skipping
> device resources because running on a host
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Prefetching yum resources for
> package
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm --version'
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm -qa
> --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION}
> %{RELEASE} %{ARCH}
> Oct 30 17:50:38 stage1 puppet-agent[3421]: ''
> Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/usr/bin/python
> /usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/provider/package/yumhelper.py'
> Oct 30 17:50:40 stage1 puppet-agent[3421]: file_metadata supports formats:
> b64_zlib_yaml pson raw yaml; using pson
> Oct 30 17:50:40 stage1 puppet-agent[3421]:
> (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 403
> on SERVER: Forbidden request: stage1.mydomain.com(127.0.0.1) access to
> /file_metadata/etc/ntp.conf [find] authenticated at :100 Could not
> retrieve file metadata for puppet:///etc/ntp.conf: Error 403 on SERVER:
> Forbidden request: stage1.mydomain.com(127.0.0.1) access to
> /file_metadata/etc/ntp.conf [find] authenticated at :100
> Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[never]) Skipping
> device resources because running on a host
> Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[weekly]) Skipping
> device resources because running on a host
> Oct 30 17:50:40 stage1 puppet-agent[3421]:
> (/Stage[main]/Ntp-client/Service[ntpd]) Dependency File[/etc/ntp.conf] has
> failures: true
> Oct 30 17:50:40 stage1 puppet-agent[3421]:
> (/Stage[main]/Ntp-client/Service[ntpd]) Skipping because of failed
> dependencies
> Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[puppet]) Skipping
> device resources because running on a host
> Oct 30 17:50:40 stage1 puppet-agent[3421]: Finishing transaction
> 23478903583320
> Oct 30 17:50:40 stage1 puppet-agent[3421]: Storing state
> Oct 30 17:50:40 stage1 puppet-agent[3421]: Stored state in 0.01 seconds
> Oct 30 17:50:40 stage1 puppet-agent[3421]: Finished catalog run in 2.03
> seconds
> Oct 30 17:50:40 stage1 puppet-agent[3421]: Value of
> 'preferred_serialization_format' (pson) is invalid for report, using
> default (b64_zlib_yaml)
> Oct 30 17:50:40 stage1 puppet-agent[3421]: report supports formats:
> b64_zlib_yaml raw yaml; using b64_zlib_yaml
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/zEuFBBHuAugJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
