Operating System: Oracle Linux 6.5 Puppet version: Open Source Puppet 3.7.4 (installed via gems) Ruby version: 2.1.0 (locally built package) Apache version: 2.2.15 Passenger version: 5.0.4
I apologise in advance if this post sounds confused and wanders all over; it mirrors its author in that respect. I'm just getting started with puppet. I've got a small 5-node playground set up to play with. I set it up using the "Installing Puppet: From Gems" instructions (since I wanted to use a newer version of ruby than the 1.8.7 that Oracle Linux comes with), and I thought everything was going great, getting it running under apache/passenger and everything. Then I realized I'd forgotten to install the auth.conf file the last time I rebuilt the puppet directories. As soon as I installed that file and restarted httpd, my agents stopped being able to talk to the server, getting an Error 403 Forbidden for every access. The errors, listed here, indicate that the server is recognizing that the client is authenticated, so apparently it's just not recognizing the URLs being accessed: Warning: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /node/rac03n01-dc2.dc2.responsys.com [find] authenticated at :123 Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [search] authenticated at :123 Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [find] authenticated at :123 Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [find] authenticated at :123 Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [search] authenticated at :123 Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [find] authenticated at :123 Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [find] authenticated at :123 Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /catalog/rac03n01-dc2.dc2.responsys.com [find] authenticated at :123 Error: Could not send report: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /report/rac03n01-dc2.dc2.responsys.com [save] authenticated at :123 I noticed that the URLs listed (/node/..., /catalog/..., /report/..., and /file_metadata/...) are not listed in the auth.conf at all, but are being "inserted" by the puppet master: Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/catalog/([^/]+)$' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/file' (auth ) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate_revocation_list/ca' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/report/([^/]+)$' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate/ca' (auth any) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate/' (auth any) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate_request' (auth any) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/status' (auth true) ACL Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/v2.0/environments' (auth true) ACL However,apparently, the default deny-all ACL at the end of auth.conf (at line 123 as shown in the errors above) is preventing those default ACLs from taking effect. Once I commented out the default deny-all ACL at the end of auth.conf, my access started working again. Am I reading the logs and auth.conf file correctly in my conclusion that the default deny-all ACL is preventing the puppet-inserted ACLs from taking effect, or am I misconfigured somewhere else? Thanks in advance, - Johnson Earls -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a2c876de-e57f-4888-aa26-70e43336ed39%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
