Problem configuring inventory search in puppet-dashboard
35 views
Skip to first unread message
Jesus Roncero
Feb 10, 2014, 2:53:36 PM2/10/14
to puppet...@googlegroups.com
Hi all,
I have a problem trying to configure puppet-dashboard when using the inventory
search, and I'm running out of ideas.
I have configured puppet-dashboard to run under apache passenger and following
the instructions on
http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html
I have created the certificates as per the instructions and configured
auth.conf such that it has:
-----------------
path /facts
auth yes
method find, search
allow dashboard
-----------------
However, if I try to search the inventory, I get a access denied error. If I change
the auth.conf file to allow everything, then everything works.
I believe it's because puppet-passenger is not sending the right certificate
when it's connecting to the master, and then it gets denied. This is what I
get running puppet master in debug mode:
...
info: access[/certificate_request]: allowing * access
info: access[/facts]: adding authentication yes
info: access[/facts]: allowing 'method' find
info: access[/facts]: allowing 'method' search
info: access[/facts]: allowing internalname.int access
info: access[/facts]: allowing puppet-dashboard access
info: access[/facts]: allowing dashboard access
info: access[/facts]: allowing 10.0.1.114 access
info: access[/]: adding authentication any
info: Inserting default '/status' (auth true) ACL because none were found in '/etc/puppet/auth.conf'
info: access[/]: defaulting to no access for internalname.int
warning: Denying access: Forbidden request: internalname.int(10.0.1.129) access to /facts/search [search] at /etc/puppet/auth.conf:107
err: Forbidden request: internalname.int(10.0.1.129) access to /facts/search [search] at /etc/puppet/auth.conf:107
...
internalname.int is the name the IP resolves to in /etc/hosts
So, it seems to me that all the puppetmaster sees is the request coming
from internal name and not from a certname called 'dashboard', which is what
it's configured with in /etc/puppet-dashboard/settings.yaml (the files in
/usr/share/puppet-dashboard/certs exist and are readable by www-data).
What makes me think that there's no cert being sent is that if I run:
openssl s_server -accept 8140
to see what certificate gets presented, none appear coming from
puppet-dashboard, whereas a normal puppet run does actually send a certificate
that openssl can see:
ACCEPT
ERROR
140723219195560:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate:s3_srvr.c:3274:
shutting down SSL
CONNECTION CLOSED
ACCEPT
Any ideas what might be wrong here?
Thanks.
--
Jesús Roncero
Jesus Roncero
Principal IT Ops Engineer
t: +44 20 7092 8700
m:
blinkbox music - the easiest way to listen to the music you love, for free
www.blinkboxmusic.com
I have a problem trying to configure puppet-dashboard when using the inventory
search, and I'm running out of ideas.
I have configured puppet-dashboard to run under apache passenger and following
the instructions on
http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html
I have created the certificates as per the instructions and configured
auth.conf such that it has:
-----------------
path /facts
auth yes
method find, search
allow dashboard
-----------------
However, if I try to search the inventory, I get a access denied error. If I change
the auth.conf file to allow everything, then everything works.
I believe it's because puppet-passenger is not sending the right certificate
when it's connecting to the master, and then it gets denied. This is what I
get running puppet master in debug mode:
...
info: access[/certificate_request]: allowing * access
info: access[/facts]: adding authentication yes
info: access[/facts]: allowing 'method' find
info: access[/facts]: allowing 'method' search
info: access[/facts]: allowing internalname.int access
info: access[/facts]: allowing puppet-dashboard access
info: access[/facts]: allowing dashboard access
info: access[/facts]: allowing 10.0.1.114 access
info: access[/]: adding authentication any
info: Inserting default '/status' (auth true) ACL because none were found in '/etc/puppet/auth.conf'
info: access[/]: defaulting to no access for internalname.int
warning: Denying access: Forbidden request: internalname.int(10.0.1.129) access to /facts/search [search] at /etc/puppet/auth.conf:107
err: Forbidden request: internalname.int(10.0.1.129) access to /facts/search [search] at /etc/puppet/auth.conf:107
...
internalname.int is the name the IP resolves to in /etc/hosts
So, it seems to me that all the puppetmaster sees is the request coming
from internal name and not from a certname called 'dashboard', which is what
it's configured with in /etc/puppet-dashboard/settings.yaml (the files in
/usr/share/puppet-dashboard/certs exist and are readable by www-data).
What makes me think that there's no cert being sent is that if I run:
openssl s_server -accept 8140
to see what certificate gets presented, none appear coming from
puppet-dashboard, whereas a normal puppet run does actually send a certificate
that openssl can see:
ACCEPT
ERROR
140723219195560:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate:s3_srvr.c:3274:
shutting down SSL
CONNECTION CLOSED
ACCEPT
Any ideas what might be wrong here?
Thanks.
--
Jesús Roncero
Jesus Roncero
Principal IT Ops Engineer
t: +44 20 7092 8700
m:
blinkbox music - the easiest way to listen to the music you love, for free
www.blinkboxmusic.com
Felix Frank
Apr 14, 2014, 1:31:34 PM4/14/14
to puppet...@googlegroups.com
Hi,
I realize this is an old thread, but perhaps you're still searching for
a solution?
On 02/10/2014 03:53 PM, Jesus Roncero wrote:
> info: access[/facts]: allowing internalname.int access
> ...
given certificate, but / is not granted. You may wish to amend your
auth.conf so that / too is viable.
I cannot give much further hint, seeing as I never installed or used
puppet dashboard. As I understand, it won't be supported much longer.
If you are looking for an alternative, perhaps Foreman or puppetboard
has what you need.
HTH,
Felix
I realize this is an old thread, but perhaps you're still searching for
a solution?
On 02/10/2014 03:53 PM, Jesus Roncero wrote:
> info: access[/facts]: allowing internalname.int access
> info: access[/]: adding authentication any
This looks as though /facts is granting access to the client with the
given certificate, but / is not granted. You may wish to amend your
auth.conf so that / too is viable.
I cannot give much further hint, seeing as I never installed or used
puppet dashboard. As I understand, it won't be supported much longer.
If you are looking for an alternative, perhaps Foreman or puppetboard
has what you need.
HTH,
Felix
Reply all
Reply to author
Forward
0 new messages