On Fri, Jul 17, 2020 at 7:41 AM Peter Krawetzky <pkrawet...@gmail.com> wrote:
> Ok I figured out the curl command but I get this error: > > [root@mypuppetserver private_keys]# curl -v --header "Content-Type: > application/json" --cert > /etc/puppetlabs/puppet/ssl/certs/mypuppetserver.mydomain.com.pem > --key > /etc/puppetlabs/puppet/ssl/private_keys/mypuppetserver.mydomain.com.pem > --cacert > /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -X DELETE > https://mypuppetserver.mydomain.com:8140/puppet-admin-api/v1/environment-cache > * About to connect() to mypuppetserver.mydomain.com port 8140 (#0) > * Trying xx.xx.xxx.xx... > * Connected to mypuppetserver.mydomain.com (xx.xx.xxx.xx) port 8140 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem > CApath: none > * NSS: client certificate from file > * subject: CN=mypuppetserver.mydomain.com > * start date: Aug 14 15:32:34 2018 GMT > * expire date: Aug 14 15:32:34 2023 GMT > * common name: mypuppetserver.mydomain.com > * issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > * Server certificate: > * subject: CN=mypuppetserver.mydomain.com > * start date: Aug 14 15:32:34 2018 GMT > * expire date: Aug 14 15:32:34 2023 GMT > * common name: mypuppetserver.mydomain.com > * issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com > > DELETE /puppet-admin-api/v1/environment-cache HTTP/1.1 > > User-Agent: curl/7.29.0 > > Host: mypuppetserver.mydomain.com:8140 > > Accept: */* > > Content-Type: application/json > > > < HTTP/1.1 403 Forbidden > < Date: Fri, 17 Jul 2020 13:41:37 GMT > < Content-Length: 115 > < Server: Jetty(9.4.z-SNAPSHOT) > < > * Connection #0 to host mypuppetserver.mydomain.com left intact > Forbidden request: /puppet-admin-api/v1/environment-cache (method > :delete). Please see the server logs for details.[root@mypuppetserver > private_keys]# > > *puppetserver.log entries*: > 2020-07-17 09:07:45,577 ERROR [qtp2067827614-66] [p.t.a.rules] Forbidden > request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache > (method :delete) (authenticated: false) denied by rule 'puppetlabs deny > all'. > 2020-07-17 09:07:45,585 ERROR [qtp2067827614-65] [p.t.a.rules] Forbidden > request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache > (method :delete) (authenticated: false) denied by rule 'puppetlabs deny > all'. > 2020-07-17 09:12:02,951 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden > request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache > (method :delete) (authenticated: false) denied by rule 'puppetlabs deny > all'. > 2020-07-17 09:17:29,677 ERROR [qtp2067827614-61] [p.t.a.rules] Forbidden > request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache > (method :delete) (authenticated: false) denied by rule 'puppetlabs deny > all'. > 2020-07-17 09:41:37,401 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden > request: mypuppetserver.mydomain.com(xx.xx.xxx.xx) access to > /puppet-admin-api/v1/environment-cache (method :delete) (authenticated: > true) denied by rule 'puppetlabs deny all'. > This is from our auth subsystem which is configured at /etc/puppetlabs/puppetserver/conf.d/auth.conf It means there was no explicit auth rule for "/puppet-admin-api/v1/environment-cache" so the default "deny all" rule was applied. You can create a rule in that auth.conf file, it will look something like: https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/auth.conf#L110-L119 The above rule allows any GET request to any url matching "<server>:<port>/puppet/v3/environments*" by a requester presenting a certificate trusted by the Puppet CA and names that rule "puppetlabs environments" for logging purposes. Copy pasting that and substituting "/puppet-admin-api/v1/environment-cache" for the path, giving it a different name, and a method of "delete" should work. If not (or you want to do something different than allow any node to evict the cache) you can see the complete docs on auth rules here: https://github.com/puppetlabs/trapperkeeper-authorization/blob/master/doc/authorization-config.md#rules . You also might want to confirm that you have an environment_timeout set to something troublesome too. You should be able to run `puppet config --section master --environment <foo> print environment_timeout` to see the environment_timeout for the foo environment. HTH, Justin -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/173aa581-ddde-4e2a-aa46-b9666f93e844o%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/173aa581-ddde-4e2a-aa46-b9666f93e844o%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXyGWFd9X5W9OAvv7T_5H5LLVDD4rU9SNg6NWNfq_vkiw%40mail.gmail.com.
