puppet 3.7.4 using auth.conf file from github - "default" acl at end apparently preventing access?

[Johnson Earls]

Operating System: Oracle Linux 6.5

Puppet version:  Open Source Puppet 3.7.4 (installed via gems)

Ruby version: 2.1.0 (locally built package)

Apache version:  2.2.15

Passenger version:  5.0.4

I apologise in advance if this post sounds confused and wanders all over; it mirrors its author in that respect.

I'm just getting started with puppet.  I've got a small 5-node playground set up to play with.  I set it up using the "Installing Puppet: From Gems" instructions (since I wanted to use a newer version of ruby than the 1.8.7 that Oracle Linux comes with), and I thought everything was going great, getting it running under apache/passenger and everything.  Then I realized I'd forgotten to install the auth.conf file the last time I rebuilt the puppet directories.  As soon as I installed that file and restarted httpd, my agents stopped being able to talk to the server, getting an Error 403 Forbidden for every access.

The errors, listed here, indicate that the server is recognizing that the client is authenticated, so apparently it's just not recognizing the URLs being accessed:

Warning: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /node/rac03n01-dc2.dc2.responsys.com [find] authenticated  at :123

Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [search] authenticated  at :123

Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [find] authenticated  at :123

Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts [find] authenticated  at :123

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [search] authenticated  at :123

Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [find] authenticated  at :123

Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins [find] authenticated  at :123

Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /catalog/rac03n01-dc2.dc2.responsys.com [find] authenticated  at :123

Error: Could not send report: Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /report/rac03n01-dc2.dc2.responsys.com [save] authenticated  at :123

I noticed that the URLs listed (/node/..., /catalog/..., /report/..., and /file_metadata/...) are not listed in the auth.conf at all, but are being "inserted" by the puppet master:

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/catalog/([^/]+)$' (auth true) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/file' (auth ) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate_revocation_list/ca' (auth true) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ ^/report/([^/]+)$' (auth true) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate/ca' (auth any) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate/' (auth any) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/certificate_request' (auth any) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/status' (auth true) ACL

Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/v2.0/environments' (auth true) ACL

However,apparently, the default deny-all ACL at the end of auth.conf (at line 123 as shown in the errors above) is preventing those default ACLs from taking effect.

Once I commented out the default deny-all ACL at the end of auth.conf, my access started working again.

Am I reading the logs and auth.conf file correctly in my conclusion that the default deny-all ACL is preventing the puppet-inserted ACLs from taking effect, or am I misconfigured somewhere else?

Thanks in advance,

- Johnson Earls

[Matt W]

Has anyone else come up with a solution for this? We just booted a new puppet master for the first time in a few weeks and it came up with Passenger 5 (we were on 4.0.69) -- and failed. For the time being we've patched our code to use an updated repo location with Passenger 4.x, but we'd like to be able to use 5. We are seeing the exact same behavior. Puppet 3.7.4 (installed via debian packages), Ubuntu 12.04.

[Johnson Earls]

I think the problem is that the Puppet page that says to "download the default auth.conf" from github is pointing to the latest version, which only works with Puppet 4.x.

Puppet 3.7.4 needs this auth.conf file:  https://raw.githubusercontent.com/puppetlabs/puppet/3.7.4/conf/auth.conf