On Wed, May 7, 2014 at 4:07 PM, Drew Fisher <drewfisher...@gmail.com> wrote:
> Good afternoon!
>
> I'm trying to get RBAC working on Solaris 11.2 for Puppet 3.4.1. Namely,
> I need to be able to list and sign waiting certificates as a non-root user
> (but with elevated RBAC permissions). No matter what happens, I can not
> seem to get the @ca object that puppet/application/cert.rb uses to be
> generated from /etc/puppet. It's always using my own home directory.
> Tracing through the various classes and methods, I end up in
>
>
Just to clarify what you are doing. You are running "puppet cert list" as a
non-root user? This isn't some ruby code that you wrote to use the puppet
code as a library.
If that is the case, then I think all that you are seeing is that when
puppet is running as non-root it will use $HOME/.puppet as its confdir and
$HOME/.puppet/var as the $vardir. When puppet runs as root it will use
/etc/puppet and /var/lib/puppet. So one way of doing this is to specify
"--confdir /etc/puppet --vardir /var/lib/puppet" on the command line. You
may still hit file permission problems when it tries to read and write
files, but I suppose you are taking care of that with the RBAC system on
Solaris (I don't know the details of that system).
> [463, 468] in
> /usr/ruby/1.9/lib/ruby/vendor_ruby/1.9.1/puppet/ssl/certificate_authority.rb
> 463 def waiting?
> => 464
> Puppet::SSL::CertificateRequest.indirection.search("*").collect { |r|
> r.name }
> 465 end
>
> <....>
>
> [99, 108] in
> /usr/ruby/1.9/lib/ruby/vendor_ruby/1.9.1/puppet/indirector/ssl_file.rb
> 99 end
> 100
> 101 # Search for more than one file. At this point, it just returns
> 102 # an instance for every file in the directory.
> 103 def search(request)
> => 104 dir = collection_directory
> 105 Dir.entries(dir).
> 106 select { |file| file =~ /\.pem$/ }.
> 107 collect { |file| create_model(file.sub(/\.pem$/, ''),
> File.join(dir, file)) }.
> 108 compact
>
> (rdb:1) p collection_directory
> "/home/dfisher/.puppet/ssl/ca/requests"
>
> Where collection_directory is my home directory rather that the 'puppet'
> user's (/etc/puppet)
>
> If anybody has any ideas on what's going on, I'd love to hear them.
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-dev/276c8b73-eff2-4679-9914-3a805b403bf6%40googlegroups.com<https://groups.google.com/d/msgid/puppet-dev/276c8b73-eff2-4679-9914-3a805b403bf6%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
Andrew Parker
a...@puppetlabs.com
Freenode: zaphod42
Twitter: @aparker42
Software Developer
*Join us at PuppetConf 2014 <http://www.puppetconf.com/>, September
22-24 in San Francisco*
*Register by May 30th to take advantage of the Early Adopter discount
<http://links.puppetlabs.com/puppetconf-early-adopter> **—**save $349!*
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANhgQXuTq1UPP2DMy51WAQk1h3o_ZnbQP%2BDX7BiRpT4BV%2BEdOw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
