Hi, I am creating a folder with subfolders and files from within my basenode class to be existent on all servers with:
file {"/sig/certstore/": source => "puppet:///files/sig/certstore/", ensure => directory, recurse => true, owner => tomcat6, group => tomcat6, require => [Package['tomcat6'], File['/sig'],] } } My fileserver.conf looks like: [files] path /etc/puppet/env/production/files allow * [plugins] allow * My auth.conf looks like the work around from Nick: ### Authenticated ACL - those applies only when the client ### has a valid certificate and is thus authenticated # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 # allow nodes to retrieve their own node definition path ~ ^/node/([^/]+)$ method find allow $1 # allow all nodes to access the certificates services path /certificate_revocation_list/ca method find allow * # allow all nodes to store their reports path /report method save allow * path /file_metadata/files auth yes allow_ip 192.168.67.0/24 path /file_content/files auth yes allow_ip 192.168.67.0/24 # inconditionnally allow access to all files services # which means in practice that fileserver.conf will # still be used path /file allow * ### Unauthenticated ACL, for clients for which the current master doesn't ### have a valid certificate; we allow authenticated users, too, because ### there isn't a great harm in letting that request through. # allow access to the master CA path /certificate/ca auth any method find allow * path /certificate/ auth any method find allow * path /certificate_request auth any method find, save allow * # this one is not stricly necessary, but it has the merit # to show the default policy which is deny everything else path / auth any Unfortunately I am still getting the error: err: Could not run Puppet configuration client: Error 400 on SERVER: Not authorized to call find on /file_metadata/files/sig/certstore Could not retrieve file metadata for puppet:///files/sig/certstore: Error 400 on SERVER: Not authorized to call find on /file_metadata/files/sig/certstore at /etc/puppet/env/production/manifests/nodes.pp:64 I have been trying to play around but can't get it to work. It all worked like a charm on Puppet 2.7 but since my migration to 3.0.1 it's not working anymore. On Tuesday, October 30, 2012 11:02:16 PM UTC+1, Forrie wrote: > > > > On Wednesday, October 24, 2012 7:44:26 PM UTC-4, Nick Fagerlund wrote: >> >> HMMMMMMM, this actually sounds like you've got a slightly larger problem, >> since can't get its own node object or its plugins. Any chance we could get >> a look at your whole auth.conf? >> >> On Wednesday, October 24, 2012 3:41:32 PM UTC-7, Forrie wrote: >>> >>> No, I didn't leave *example.com* in my config - I put our own domain in >>> there... just FYI ;-) >>> >>> > > auth.conf is below. > > First, we have some simple classes that we use to manage files and > packages that do not need to be in a module. For example, > /etc/puppet/files/etc/ntp.conf is a file I distribute to all our internal > systems and I use this very simple recipe to manage them, which works fine > under 2.7: > > [ ntp-client.pp ] > > class ntp-client { > > file { "/etc/ntp.conf": > owner => root, > group => root, > mode => 644, > source => "puppet:///etc/ntp.conf", > require => [ Package["ntp"] ], > notify => Service["ntpd"], > } > > package { "ntp": > ensure => latest, > } > > service { "ntpd": > ensure => running, > hasrestart => true, > subscribe => File["/etc/ntp.conf"], > } > > } # ntp-client > > > > From what I read in the docs, this /should/ work. But it doesn't. I > shouldn't have to create a module path in order for this recipe to work (as > I've seen suggested, or I've misunderstood). > > Here is the auth.conf file: > > > [ auth.conf ] > > # This is an example auth.conf file, it mimics the puppetmasterd defaults > # > # The ACL are checked in order of appearance in this file. > # > # Supported syntax: > # This file supports two different syntax depending on how > # you want to express the ACL. > # > # Path syntax (the one used below): > # --------------------------------- > # path /path/to/resource > # [environment envlist] > # [method methodlist] > # [auth[enthicated] {yes|no|on|off|any}] > # allow [host|ip|*] > # deny [host|ip] > # > # The path is matched as a prefix. That is /file match at > # the same time /file_metadat and /file_content. > # > # Regex syntax: > # ------------- > # This one is differenciated from the path one by a '~' > # > # path ~ regex > # [environment envlist] > # [method methodlist] > # [auth[enthicated] {yes|no|on|off|any}] > # allow [host|ip|*] > # deny [host|ip] > # > # The regex syntax is the same as ruby ones. > # > # Ex: > # path ~ .pp$ > # will match every resource ending in .pp (manifests files for instance) > # > # path ~ ^/path/to/resource > # is essentially equivalent to path /path/to/resource > # > # environment:: restrict an ACL to a specific set of environments > # method:: restrict an ACL to a specific set of methods > # auth:: restrict an ACL to an authenticated or unauthenticated request > # the default when unspecified is to restrict the ACL to authenticated > requests > # (ie exactly as if auth yes was present). > # > > ### Authenticated ACL - those applies only when the client > ### has a valid certificate and is thus authenticated > > # allow nodes to retrieve their own catalog (ie their configuration) > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > # allow all nodes to access the certificates services > path /certificate_revocation_list/ca > method find > allow * > > # allow all nodes to store their reports > path /report > method save > allow * > > # inconditionnally allow access to all files services > # which means in practice that fileserver.conf will > # still be used > # path /file > # allow * > # allow_ip 10.101.0.0/24 > # allow_ip 10.103.0.0/24 > > # Note that nothing here works, regardless of the CIDR > path ~ ^/file_(metadata|content)/files/ > auth yes > allow /^(.+\.)?example.com$/ > allow_ip 10.0.0.0/8 > > ### Unauthenticated ACL, for clients for which the current master doesn't > ### have a valid certificate > > # allow access to the master CA > path /certificate/ca > auth no > method find > allow * > > path /certificate/ > auth no > method find > allow * > > path /certificate_request > auth no > method find, save > allow * > > # this one is not stricly necessary, but it has the merit > # to show the default policy which is deny everything else > path / > # allow * > auth any > > > Here are some of the errors I'm seeing today. I do not have any other > modules or classes defined here, just the ntp-client.pp on the staging > system: > > > > Oct 30 17:50:38 stage1 puppet-agent[3421]: catalog supports formats: > b64_zlib_yaml dot pson raw yaml; using pson > Oct 30 17:50:38 stage1 puppet-agent[3421]: Caching catalog for > stage1.mydomain.com > Oct 30 17:50:38 stage1 puppet-agent[3421]: Creating default schedules > Oct 30 17:50:38 stage1 puppet-agent[3421]: Loaded state in 0.00 seconds > Oct 30 17:50:38 stage1 puppet-agent[3421]: Applying configuration version > '1351630198' > Oct 30 17:50:38 stage1 puppet-agent[3421]: > (/Stage[main]/Ntp-client/Service[ntpd]/subscribe) subscribes to > File[/etc/ntp.conf] > Oct 30 17:50:38 stage1 puppet-agent[3421]: > (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/require) requires Package[ntp] > Oct 30 17:50:38 stage1 puppet-agent[3421]: > (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/notify) subscribes to > Service[ntpd] > Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[daily]) Skipping > device resources because running on a host > Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[monthly]) Skipping > device resources because running on a host > Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[hourly]) Skipping > device resources because running on a host > Oct 30 17:50:38 stage1 puppet-agent[3421]: Prefetching yum resources for > package > Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm --version' > Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm -qa > --nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} > %{RELEASE} %{ARCH} > Oct 30 17:50:38 stage1 puppet-agent[3421]: '' > Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/usr/bin/python > /usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/provider/package/yumhelper.py' > Oct 30 17:50:40 stage1 puppet-agent[3421]: file_metadata supports formats: > b64_zlib_yaml pson raw yaml; using pson > Oct 30 17:50:40 stage1 puppet-agent[3421]: > (/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 403 > on SERVER: Forbidden request: stage1.mydomain.com(127.0.0.1) access to > /file_metadata/etc/ntp.conf [find] authenticated at :100 Could not > retrieve file metadata for puppet:///etc/ntp.conf: Error 403 on SERVER: > Forbidden request: stage1.mydomain.com(127.0.0.1) access to > /file_metadata/etc/ntp.conf [find] authenticated at :100 > Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[never]) Skipping > device resources because running on a host > Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[weekly]) Skipping > device resources because running on a host > Oct 30 17:50:40 stage1 puppet-agent[3421]: > (/Stage[main]/Ntp-client/Service[ntpd]) Dependency File[/etc/ntp.conf] has > failures: true > Oct 30 17:50:40 stage1 puppet-agent[3421]: > (/Stage[main]/Ntp-client/Service[ntpd]) Skipping because of failed > dependencies > Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[puppet]) Skipping > device resources because running on a host > Oct 30 17:50:40 stage1 puppet-agent[3421]: Finishing transaction > 23478903583320 > Oct 30 17:50:40 stage1 puppet-agent[3421]: Storing state > Oct 30 17:50:40 stage1 puppet-agent[3421]: Stored state in 0.01 seconds > Oct 30 17:50:40 stage1 puppet-agent[3421]: Finished catalog run in 2.03 > seconds > Oct 30 17:50:40 stage1 puppet-agent[3421]: Value of > 'preferred_serialization_format' (pson) is invalid for report, using > default (b64_zlib_yaml) > Oct 30 17:50:40 stage1 puppet-agent[3421]: report supports formats: > b64_zlib_yaml raw yaml; using b64_zlib_yaml > > > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/zEuFBBHuAugJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.